Zoom Security Bulletin for Apache Log4j Disclosures

    Last updated: Jan 14, 2022 at 3:55 pm PST

    Summary

    Zoom has been analyzing our products and services to identify and mitigate Apache Log4j vulnerabilities disclosed in CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Zoom continues to mitigate and patch vulnerable versions of Log4j in accordance with Apache’s recommendations. We plan to update identified vulnerable Log4j instances with the latest available version as they become available and following testing.

    Addressing these vulnerabilities is a top priority for Zoom. We are closely monitoring the situation and working diligently to resolve it as soon as possible. This page will be updated as material information becomes available.

    Based on our findings to date, we’ve outlined below the current status of Zoom products and services.

    Zoom Products and Services

    Status

    Zoom Meetings, Zoom Events, Zoom Video Webinars, OnZoom

    Zoom clients for Windows, Mac, Linux, iOS, Android, BlackBerry, VDI (and VDI plug-in), and web clients do not use the vulnerable versions of Log4j.

    No action is required by users at this time.

    Zoom’s Production Backend (excluding Third-Party Commercial Software)*

    Zoom’s production backend (excluding third-party commercial software) has been updated to Log4j version 2.16.0 as the minimum version or mitigated to address the issues identified in CVE 2021-44228 and CVE-2021-45046. Zoom conducted an assessment of the issues in CVE-2021-44832 and CVE-2021-45105 and determined our production backend is not vulnerable due to the conditions required for exploitation.

    Zoom’s Production Backend Third-Party Commercial Software

    We are in the process of assessing the situation with our third-party commercial software vendors. We have and plan to continue applying any updates as they become available.
    Zoom’s core third-party software vendors have been updated or mitigated.

    Zoom for Government

    Zoom clients for Windows, Mac, Linux, iOS, Android, BlackBerry, VDI (and VDI plug-in), and web clients do not use the vulnerable versions of Log4j.

    No action is required by users at this time.

    Zoom Phone

    Zoom Phone clients do not use the vulnerable versions of Log4j.

    No action is required by users at this time.

    Zoom Rooms and Zoom for Home

    Zoom Rooms and Zoom for Home clients do not use the vulnerable versions of Log4j.

    No action is required by users at this time.

    Zoom Chat

    Zoom Chat clients do not use the vulnerable versions of Log4j.

    No action is required by users at this time.

    Zoom Marketplace

    For our backend, we have applied Apache's recommended mitigations and updated any systems identified to date to Log4j version 2.16.0 as the minimum version. No action is required by users at this time.

    Zoom Developer Platform APIs & SDKs

    Zoom SDKs do not use the vulnerable versions of Log4j.

    No action is required by users at this time.

    Zoom On-Premises Deployment

    The Zoom Hybrid MMR, VRC, Meeting Connector, API Connector, and Recording Connector do not use the vulnerable versions of Log4j.

    Services Provided by Third Parties

    We are in the process of assessing the situation with our third parties.

    Device Partners for Zoom Phone and Zoom Rooms

    Our device partners for Zoom Phone and Zoom Rooms have confirmed that they are not impacted.

    Zoom Apps

    Our third-party Zoom Apps developers have confirmed that any Zoom App using a vulnerable version of Log4j has been updated or mitigated.

    Editor’s note: This bulletin was edited on Jan. 14, 2022 to include the most up-to-date information on Zoom’s response to the CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 vulnerabilities.