Update for Apache Log4j vulnerability (CVE-2021-44228)

Stripe has been aware of the vulnerability in the Apache Log4j library (CVE-2021-44228) since Thursday, December 9th, 2021. We immediately investigated Stripe’s exposure to this vulnerability and determined that our existing compensating controls protect Stripe from malicious remote code execution. In accordance with incident response procedures, we also reviewed our logs and found no evidence of customer data being impacted.

We applied immediate remediations to systems where Log4j was installed and are currently upgrading systems to a safe version of Log4j. We also reached out to our third-party vendors to understand their exposure to this vulnerability, and based on the responses received thus far, we believe there is no impact to Stripe or Stripe users.

Our investigation is ongoing, and we will continue to review throughout the coming days.  

Please contact security@stripe.com if you have any additional questions or concerns.