Like many, Unity has been working around the clock to determine the extent of the remote code execution vulnerability in the commonly used Java library, “log4j.” As any application or service that uses an affected version of this library is potentially subject to exploitation, Unity continues to investigate all products and services for the vulnerability.
At the time of this publishing, Unity has found no evidence of a breach or exploit against Unity systems using log4j vulnerability, therefore we believe there has been no loss of customer data or intellectual property nor any loss of Unity data or intellectual property or that of any of Unity’s partners.
Below is a confirmed list of the unaffected products. Any products that were affected have been patched to a safe version (>=2.16.0) by the time this advisory was published. This means there are currently no known affected products, but Unity will continue to update the list as part of our existing secure software development lifecycle.
We have endeavored to list out every possibly affected product along with a non-vulnerable confirmation. Unity’s most notable products - the Unity Editor, Unity Runtime, Unity Ads, Asset Store and more have all been confirmed NOT vulnerable. A more complete list of all unaffected products can be found below. We will continue to add to this list as more products/services are analyzed and confirmed.
|Ads||No||Java present for Android; log4j updated|
|Cloud Content Delivery||No|
|Game Growth Program||No|
|In App Purchase||No|
|Mediation||No||Java present for Android; no log4j|
|Plastic SCM Cloud||No|
|Plastic SCM Enterprise||No|
|Reflect||No||Java present for Android; no log4j|
|Unity Cloud Build||No||Java present for compat; no log4j|
|Unity Package Manager (UPM)||No|
Customer Mitigating Steps & Actions
No customer action is needed.
Unity Mitigating Steps & Actions
Any affected products have been updated to an unaffected version of the log4j library. We will continue to investigate and update products as part of our existing secure software development lifecycle (SSDLC).
No, there are no actions for customers to take at this time.
As stated above, we have found no evidence of a breach or exploit against Unity systems using the log4j vulnerability at this time. This means that at this time, we believe there has been no loss of customer data or intellectual property nor any loss of Unity data or intellectual property or that of any of Unity’s partners.
If we do discover evidence of a compromise, Unity will follow its established procedure for notifying the appropriate authorities, regulatory agencies, and customers, in accordance with all applicable laws and regulations.
As we mentioned, the list of unaffected products is not comprehensive. However, as of now, there are no known vulnerable products affected. If you have a question about a Unity product not listed above, please contact us via your support representative, or our regular support avenues: Support Services. We will continue to update the list of affected products as part of our existing SSDLC.