Summit Trust Center

At SymphonyAI Summit, we provide transparency and architect our products by ensuring security, privacy, and compliance are handled with utmost importance. This page provides information related to security advisories, compliance updates and any other recommendations. The most recent security advisories are available at the top arranged in descending order.

Summit is committed to providing a secure application and components for its customers and follows a stringent process to analyze track, and resolve all the product-related security issues and vulnerabilities. Click here to access the detailed information on the followed process & security best practices.

Feb 23, 2023 - Go-Daddy Hacked | Impact | Next Steps

What is Go-Daddy Hack?

On November 22, 2021, the hosting platform GoDaddy revealed that an unauthorized third party had accessed their Managed WordPress hosting environment. Unfortunately, GoDaddy isn’t unique; many hosting providers remain vulnerable to similar attacks. In this article, we will discuss what is known about the incident so far.

What did this hack impact? 

• The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks. 
   
• The original WordPress Admin passwords were set on these accounts, which were also exposed. As a pre-emptive measure, any account still using its original WordPress Admin password was subject to a password reset.
  
  
• SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
  
  
• The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.

Has Summit hosted SaaS customers with a “symphonysummit.com” certificate impacted by this Hack?

NO.  All the Summit-hosted SaaS customers with “Symphonysummit.com” certificate are signed and verified by GlobalSign SSL CA.

Is the Summit Domain (DNS) also impacted by this Hack?

NO. Summit has subscribed for Full Domain Protection to prevent unauthorized domain actions.

What should you do if you are impacted on your Summit Instance (On-Premise / Summit hosted SaaS)?

Raise a support ticket with Go-Daddy and follow the instructions. Reach out to Summit if any certificate refresh is needed.

What is Summit doing to address the Situation?

• Summit has already contacted Go-Daddy and got a confirmation on No Impact.
• Pro-actively identify and notify the customers using Go-Daddy SSL certificates
• Inform customers to contact Go-Daddy and follow the instructions

Reference Links

• Go-Daddy
•  Virtual Armour
• IT World Canada
• Tech Target

In case of any queries or clarifications, please write to support@symphonysummit.com

Jan 20, 2023 - Vulnerability Reporting and Process Document

The following two sections were added to this document. For more information, read this document. 

• Risk Table with Remediation Timelines
• 3rd-Party Libraries
  
  

May 16, 2022 - Vulnerability Reporting and Process Document

We are happy to publish the detailed process and best practices followed in resolving product-related security issues and vulnerabilities. For more information, read this document.   

December 14, 2021 - Security Update: Critical Log4j Vulnerability

On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions before 2.15.0 was disclosed:

• CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints

For a description of this vulnerability, see the Fixed in Log4j 2.15.0 section of the Apache Log4j Security Vulnerabilities page.

What is Log4J?

Log4j is a java-based logging package used by developers to log errors. Due to the popularity of the log4j library, many major publishers and manufacturers have been assessing their software to determine whether it has been impacted or not. Large enterprises like Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and more useful applications that make use of the log4j library.

Who is affected?

Any application using the log4j library with a version from 2.0-beta9 to 2.14.1 is vulnerable. This means that pretty much any application using log4j 2 is vulnerable until updated to the latest version 2.15.0. Since this library is so widely used, there isn't a simple list of all applications that use the log4j library. There are plenty of attempts to create a centralized overview of affected products:

• Dutch Cyber Security Center Affected Software List
• BlueTeam Advisories Collection
• Tech Solvency CVE-2021-44228 cheat-sheet
• Nationaal Cyber Security Centrum (NCSC-NL)

Summit & Log4J

It is important to note that Summit Product is not affected and does not utilize Apache Log4j in any of its components. At this time, no customer impact has been identified running with Summit products.  

Overall, we understand that none of the integrated OEM products is affected. However, we are working with every OEM vendor to get the confirmation and further plans of remediation if it is impacted.

Please continue to visit this page for the latest updates.

Additional Information on the Log4J Vulnerability

CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system.

What makes CVE-2021-44228 especially dangerous is the ease of exploitation: even an inexperienced hacker can successfully execute an attack using this vulnerability. According to the researchers, attackers only need to force the application to write just one string to the log, and after that, they can upload their code into the application due to the message lookup substitution function.

Working Proofs of Concept (POC) for the attacks via CVE-2021-44228 are already available on the Internet. Therefore, it’s not surprising that cybersecurity companies are already registering massive network scans for vulnerable applications as well as attacks on honeypots.

This vulnerability was discovered by Chen Zhaojun of the Alibaba Cloud Security Team.

Almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. The simplest and most effective protection method is to install the most recent version of the library, 2.15.0. You can download it on the project page.