Update on the Apache Log4j
Update as of December 17, 2021
Pitney Bowes has been working diligently to address the security issue relating to the open-source Apache Log4j2 utility (CVE-2021-44228 & CVE-2021-45056). We have inventoried our systems, including our products, to identify where these vulnerabilities may exist. As necessary, we have either patched the vulnerability by updating to the latest Log4j version or applied additional mitigations in the interim. These additional mitigations include changes to the Log4j configuration to disable the exploitable functionality and additional controls layers such as network controls and web application firewalls, to prevent the vulnerability from being exploited.
To our knowledge, no Pitney Bowes clients or client data have been impacted.
- Sending Technologies
Our physical mail meters were never vulnerable and do not contain Log4j2 software. The SendPro family of solutions and mail creation products that did contain the Log4j2 software have been remediated and are no longer vulnerable. Out of an abundance of caution, we are working to upgrade any of our legacy shipping and mailing products which contain an older version of Log4j2, but none are vulnerable to CVE-2021-44228.
- Global Ecommerce
Delivery, returns, cross-border and fulfillment services are not vulnerable. Products that did contain the Log4j2 software have been remediated. Out of an abundance of caution, we are working to upgrade products which contain an older version of Log4j2, but none are vulnerable to CVE-2021-44228.
Presort products and services are not vulnerable.
We remain on high alert. Our dedicated security operations center is continuously monitoring and reviewing our controls, logs, and alerts in real time for any unusual behavior or network traffic, as well as running frequent scans for all our products and infrastructure. We continue to work closely with our third-party partners and suppliers to ensure they are providing necessary patches and updating their systems accordingly.
We will provide additional updates to our clients as warranted.
December 15, 2021
Pitney Bowes is aware of the recently disclosed security issue relating to the open-source Apache Log4j2 utility (CVE-2021-44228). We have inventoried our systems, including our products, to identify where CVE-2021-44228 may exist and have validated that controls are in place while the vulnerability is being remediated. We are actively deploying patches and updates and working with vendors and service providers to ensure they are updating their systems. Our security operations center continues to monitor for any unusual behavior or network traffic. We will provide updates to our clients as warranted.