StarWind’s response to Apache Log4j2 vulnerability CVE-2021-44228 (Log4shell)

Vulnerability Management Policy

StarWind follows a resilient and robust product security and vulnerability management policy.

StarWind puts a heavy emphasis on ensuring the security of our products and services since the release of our first product and throughout the entire company history. We always use extensive vulnerabilities testing programs, conduct periodical developer training, and implement secure design principles. As well, StarWind constantly works on improving extending its security development policies.

StarWind adheres to the following process to address vulnerabilities and inform our customers:

Constant analysis

Our products and services are constantly and strictly analyzed for known vulnerabilities. This involves mandatory scans of all ready-to-release products and features inside the organization prior to the actual product release and delivery to the customers.

Notification

StarWind makes sure to inform the customers in case the vulnerabilities are discovered. This is achieved by automatic notification of any vulnerability discovered to the customers who are subscribed for StarWind Security updates. This allows our customers to always stay informed and undertake the appropriate actions to ensure their business proper operation.

Verification of the fixes

StarWind always first tests the fix to the identified vulnerability through a thorough QA cycle. Once the fix has been verified, we release a private security update and notify our customers about it as well as steps required to apply it. The StarWind security updates are delivered separately (for the subscribers or on-demand) and all of them are included as part of general StarWind build updates.

Resolution

Once the resolution to the vulnerability is found, tested, and verified, we notify our customer about the resolution process and the steps required to resolve the vulnerability.

StarWind security and vulnerability information-delivery methods:

  • Security Notice – informs customers about the security vulnerabilities that can affect StarWind products and require an upgrade or specific customer action to remediate.
  • Security Bug Report – informs customers about low-level security vulnerabilities and can be resolved by a standard build upgrade procedure.

Security updates delivery

StarWind as a company issues private security updates. Once notification about the potential vulnerability fix is received, a customer who is subscribed to the StarWind Security updates, receives notice on the remediation process steps. To receive a private security update, subscribe to StarWind Security updates or submit a request via StarWind support form – https://www.starwindsoftware.com/support-form with the description the vulnerability that is under the consideration.