log4j exposure status in Evernote?

[Carl923 1]

What is the status the recently discovered log4j exploit at Evernote?   Can you positively confirm it has been completely addressed?  Thank you.

[PinkElephant 8,073]

Me ? Any other user ? Whom are you asking ?

If you have questions at EN, issue a support ticket.

And work on your backup … just in case 🔥

[Carl923 1]

I'm asking about Evernote as a product.  Is the product and its supporting infrastructure secure from this latest log4j RCE exposure?

[zip 0]

I'm asking about Evernote as a product.  Is the product and its supporting infrastructure secure from this latest log4j RCE exposure?

 

I have the same question.

[zip 0]

I'm asking about Evernote as a product.  Is the product and its supporting infrastructure secure from this latest log4j RCE exposure?

 

How do I ask Evernote this question? Hard to find the proper contact information. 

[agsteele 2,942]

You are asking other users about something that has never been asked here. Suggest you raise a support ticket.

[zip 0]

3 minutes ago, agsteele said:

You are asking other users about something that has never been asked here. Suggest you raise a support ticket.

Thanks for getting back to me. How do I raise a support ticket? The choice of asking questions is very limited/not fitting this question. You basically have 3 choices via the web. What am I missing?

[ehrt74 240]

I have no idea about the infrastructure, but the v10 clients do not use Java* and are therefore safe.

 

* it's possible the Android client uses some Java wrapper code. I don't know how react native works.

[Carl923 1]

14 hours ago, agsteele said:

You are asking other users about something that has never been asked here. Suggest you raise a support ticket.

Sorry, first time posting to this forum.  Am used to other product forums where the company participates.  Sounds like thats not the case here.

[gazumped 11,652]

Evernote say that they read all the posts ..eventually.. and we get product announcements and general comments from time to time,  but they're busy enough with Support tickets that have a definite priority system and I wouldn't think they'd want to answer backdoor individual questions here.  They may also not be too forthcoming about security matters generally - no point in saving the bad guys the work of exploring the system for potential weak spots by listing the ones they can eliminate as being protected...

[chilum 0]

Please be aware that it is very likely that Evernote is also vulnerable to the log4j exposure.

I am writing this because just today, actually about 3 hours ago my Evernote account was hacked.

I immediately check if my password has been compromised in the haveibeenpwned dot com site and found that it has NOT been compromised.

This leads me to believe that the attackers have hacked my account through a different vector.

I can only blame myself for not enabling 2FA, which I urge you all to do ASAP.

BTW, I didn't find any place to report this incident in the Evernote site.

[ehrt74 240]

16 hours ago, gazumped said:

Evernote say that they read all the posts ..eventually.. and we get product announcements and general comments from time to time,  but they're busy enough with Support tickets that have a definite priority system and I wouldn't think they'd want to answer backdoor individual questions here.  They may also not be too forthcoming about security matters generally - no point in saving the bad guys the work of exploring the system for potential weak spots by listing the ones they can eliminate as being protected...

It wouldn't surprise me if Evernote does say something about this vulnerability soon. Log4j is all over the news at the moment.

 

Seeing as Evernote is now a SAAS product, fixing a vulnerability (provided the back end code is vulnerable) should be possible quite quickly. When a Java application is packaged for deployment all the jars get bundled together, so finding out if log4j is used shouldn't be that difficult (unless they're doing some crazy class-loading at runtime or whatever).

 

However I don't think anyone knows what Evernote is written in. Job opportunities and Wikipedia both suggest it's written in C++.

[gazumped 11,652]

4 hours ago, ehrt74 said:

However I don't think anyone knows what Evernote is written in.

It's running on Google servers.  so I'd imagine they have the security angle pretty well covered...

[Carl923 1]

6 hours ago, gazumped said:

It's running on Google servers.  so I'd imagine they have the security angle pretty well covered...

Not sure where the code runs matters - it's Evernote's code, not Google's.

[PinkElephant 8,073]

The question is what can be expected :

Yes, we are exposed, thank you => makes EN an even lager target

No, we are not exposed => will not stop questioning here in the forum (my experience ...)

The fact it runs on Google servers at least makes clear that the environment is as professionally managed as possible.

[gazumped 11,652]

On 12/14/2021 at 5:48 PM, chilum said:

BTW, I didn't find any place to report this incident in the Evernote site.

Sorry - I missed this comment from earlier.  See https://help.evernote.com/hc/en-us/articles/115004395487-What-to-do-if-you-suspect-unauthorized-access-to-your-Evernote-account for general help,  and the Support link on that page if you have a specific issue.  Evernote do have a process of informing users if there has been any suspicious activity on  their account,  so if you didn't have an email from them,  chances are your experience was not significant.  However,  this being a public forum - take it up with them direct if you have issues.  No one here can comment further,  other than offering our own uninformed opinions.  

[ehrt74 240]

15 hours ago, Carl923 said:

Not sure where the code runs matters - it's Evernote's code, not Google's.

To some degree you're right. However managed environments like google cloud include ways to filter outgoing as well as incoming traffic. As far as I know, this needs to be configured. 

The main Evernote service seems to have been written in C++. This means it is not vulnerable to the log4j problem. I'm not a fan of C++ as a programming technology, but the Evernote code has been around for a while so i imagine they've got a large number of bugs. C++ is a fairly low-level language (and no internet service needs to be low-level). Nowadays something like go would be a better choice (high-level language with the performance of a low-level language without the unneeded capabilities). However go does not play well with other languages so unless Evernote is gradually ripping their software apart into microservices a migration will be a lot of work.

All of which means that log4j isn't a problem as far as i can see for Evernote. I've also had a look at Android. Android does not support JNDI (Google's security is enormously good, so i imagine they never entertained the possibility of supporting JNDI in Android), which means that it is not vulnerable.

[PinkElephant 8,073]

I read an interview today with one of the devs of log4j. This program was build really by open source, they were not paid to contribute. He was with the first version releases, just following the second generation development while working on other projects with the Apache group.

His conclusion: Everybody who is on a reasonable update cycle should have no problem to install the patch. He said the worst problem probably have banks who rely on high performance transaction systems, and never updated for years out of fear something could go wrong. They can’t patch now …

For everybody concerned: When did you run your last backup ? Even if a server is compromised, it won’t touch a copy resting on a local hard drive, not connected to a device. And no, I am not concerned, it is just best practice.

[Colleen O 10]

I remember reading something about Evernote using the Electron framework (JavaScript, HTML, and CSS). The rationale for doing this was because it's easier to create cross-platform apps. Remember the start of all the EN "commotion"?

Many cloud-based applications use a webserver and database server on the backend.

The way I understand this vulnerability, you don't need to have Java installed. The log4j is an open-source library and many applications use it. We removed all Java installations from users' desktops long ago (when Sun decided that you had to pay for it), but we found out that we have a few applications that have and use the log4j library.

This log4j story came out in the news ("The Internet is on Fire") with a focus on Minecraft. The story goes on to say that players got infected with malware when code was distributed through the game chat. 

Like the Minecraft players, we (Evernote users) are "clients" and are connected to the EN servers so we may not be "safe".

@Carl923 has a legitimate concern and I don't feel that it's wrong to post that here because another user may have asked EN Support, got an answer, and would be willing to share the response.

However, I also feel that EN should be forthcoming and post a statement as many other application developers have - not affected, affected but patched, still investigating, etc.

[ehrt74 240]

1 hour ago, Colleen O said:

I remember reading something about Evernote using the Electron framework (JavaScript, HTML, and CSS). The rationale for doing this was because it's easier to create cross-platform apps. Remember the start of all the EN "commotion"?

Many cloud-based applications use a webserver and database server on the backend.

The way I understand this vulnerability, you don't need to have Java installed. The log4j is an open-source library and many applications use it. We removed all Java installations from users' desktops long ago (when Sun decided that you had to pay for it), but we found out that we have a few applications that have and use the log4j library.

This log4j story came out in the news ("The Internet is on Fire") with a focus on Minecraft. The story goes on to say that players got infected with malware when code was distributed through the game chat. 

Like the Minecraft players, we (Evernote users) are "clients" and are connected to the EN servers so we may not be "safe".

@Carl923 has a legitimate concern and I don't feel that it's wrong to post that here because another user may have asked EN Support, got an answer, and would be willing to share the response.

However, I also feel that EN should be forthcoming and post a statement as many other application developers have - not affected, affected but patched, still investigating, etc.

Hello!

A couple of points. The evernote back end does not run on the JVM, and none of the current clients do. I don't know what the legacy clients were written in (can someone add this information?) The legacy Android client was written in a langauge whose syntax and class structure closely resembles Java, but does not include JNDI, so it is also not affected.

Log4j is a Java library. Unless the code is written in a language that runs on the JVM you don't need to worry.

There is however a possibility that Evernote uses the JVM for some small services, and as you say, it would be nice to have clarity here.

[gazumped 11,652]

4 hours ago, ehrt74 said:

and as you say, it would be nice to have clarity here.

...Support tickets all around then,  eh folks?

[coffeenow 0]

Hi team, any official log4j status from Evernote yet? It would be great to tick them off the list and it's nearly been a month!

On 12/17/2021 at 10:38 PM, gazumped said:

...Support tickets all around then,  eh folks?

Thanks in advance!

[PinkElephant 8,073]

None ... i assume. EN will not comment on issues concerning the server operation, at least if I take experience from the past.

EN servers run in Google datacenters. I doubt something communicated and patched is going to survive a long time in such a surrounding - sort of snowflake entering hell.

The main problem with this issue seems to be in other places, like banking. These guys often have not updated their core transaction machines in years, out of fear to break something. The patches depend on a relatively fresh status of the software.

So better watch if your money is still in your account - the notes are doing fine, thank you.

[Austin G 527]

Hey Folks. We are aware of the LOG4J2 vulnerability and our team has thoroughly investigated this issue. Evernote has upgraded the relevant components of our infrastructure, and is confident there was no impact on Evernote users at any time. No updates were required for Evernote apps, and no action is required by Evernote users. Please let us know if you have any questions or concerns.