Here is information about what you need to know regarding Highcharts and the Log4j vulnerability:
- Highcharts is a client-side library that does not have any dependency or use of the Java-based logging package Log4j and is not impacted by the vulnerability.
- There are no immediate mechanisms for writing data to backend services, and therefore no circumstance for exploitation to be triggered from Highcharts.
- If you use any backend services to feed data into our libraries (or if you’ve made modifications to send data from Highcharts to a server), we strongly urge you to check those services for the presence of susceptible versions of log4j.
- The extent of the impact is confined to our internal infrastructure use of Elastic and Logstash for internal logging purposes, which depend on log4j. Our tech team patched this manually on December 10th and took additional mitigation measures in our firewall configurations to further negate any exploits. As it became available, Logstash was updated to 7.16.2, which contains log4j 2.17.0.
- After a deep examination of our logs, we find no evidence of any successful exploits. At present, all internal systems have been checked and patched as needed, and we continue to monitor the situation closely.
Please get in touch with our support team if further clarifications are needed.