December 2021 Security Update (CVE-2021-44228, CVE-2021-45046, log4j Java library)

Overview

Like many, Unity has been working around the clock to determine the extent of the remote code execution vulnerability in the commonly used Java library, “log4j.” As any application or service that uses an affected version of this library is potentially subject to exploitation, Unity continues to investigate all products and services for the vulnerability.

At the time of this publishing, Unity has found no evidence of a breach or exploit against Unity systems using log4j vulnerability, therefore we believe there has been no loss of customer data or intellectual property nor any loss of Unity data or intellectual property or that of any of Unity’s partners.

Below is a confirmed list of the unaffected products. Any products that were affected have been patched to a safe version (>=2.16.0) by the time this advisory was published. This means there are currently no known affected products, but Unity will continue to update the list as part of our existing secure software development lifecycle.

Unaffected Products

We have endeavored to list out every possibly affected product along with a non-vulnerable  confirmation. Unity’s most notable products - the Unity Editor, Unity Runtime, Unity Ads, Asset Store and more have all been confirmed NOT vulnerable. A more complete list of all unaffected products can be found below. We will continue to add to this list as more products/services are analyzed and confirmed.

Product Name Affected Notes
Ads No Java present for Android; log4j updated
Art Engine No  
Asset Store No  
Collaborate No  
Cloud Code No  
Cloud Content Delivery No  
deltaDNA No  
Forma No  
Game Simulation No  
Game Growth Program No  
In App Purchase No  
In-game messaging No  
Indie Accelerator No  
MARS No  
Matchmaker (Beta) No  
Mediation No Java present for Android; no log4j
Multiplay No  
Multiplay Relay No  
Netcode No  
Plastic SCM Cloud No  
Plastic SCM Enterprise No  
Reflect No Java present for Android; no log4j
Remote Config No  
Unity Cloud Build No Java present for compat; no log4j
Unity Editor/Runtime No  
Unity Id No  
Unity Package Manager (UPM) No  
VisualLive No  
Vivox No  

 

Customer Mitigating Steps & Actions

No customer action is needed.

Unity Mitigating Steps & Actions

Any affected products have been updated to an unaffected version of the log4j library. We will continue to investigate and update products as part of our existing secure software development lifecycle (SSDLC).

FAQ

Is there any action for me as a customer of Unity products or services?

No, there are no actions for customers to take at this time.

Was there a breach, or exploit, as a result of this vulnerability?

As stated above, we have found no evidence of a breach or exploit against Unity systems using the log4j vulnerability at this time. This means that at this time, we believe there has been no loss of customer data or intellectual property nor any loss of Unity data or intellectual property or that of any of Unity’s partners.

If we do discover evidence of a compromise, Unity will follow its established procedure for notifying the appropriate authorities, regulatory agencies, and customers, in accordance with all applicable laws and regulations.

What exact products have been affected by this vulnerability?

As we mentioned, the list of unaffected products is not comprehensive. However, as of now, there are no known vulnerable products affected. If you have a question about a Unity product not listed above, please contact us via your support representative, or our regular support avenues: Support Services. We will continue to update the list of affected products as part of our existing SSDLC.

Unity에서는 최적의 웹사이트 경험을 제공하기 위해 쿠키를 사용합니다. 자세한 내용은 쿠키 정책 페이지를 참조하세요.

확인