HERE Security Update on Log4Shell Vulnerability

HERE Technologies is aware of the “Log4Shell” vulnerability (categorized by the National Vulnerability Database as CVE-2021-44228), affecting many Java-based applications.

Industry analysts have given this vulnerability the highest possible severity rating: when exploited, this vulnerability allows remote code execution (RCE), compromising the targeted systems.

HERE took immediate steps to evaluate the impact of Log4Shell. As soon as the vulnerability was disclosed, we have been actively fortifying our defense layers and maximizing mitigation efforts; in fact, our Security and Engineering teams have been working tirelessly to assess and remediate this issue. We have assessed the impact and deployed numerous mitigations and patches to several of our tools and software that may include log4j, as further outlined below.

For any additional support, please open a ticket on the HERE support portal.

Update Jan 11, 2022

1. Summary

Product-specific updates complete.

2.1. Services & Applications

2.1.1. Tour Planning API

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.1.2. Tracking

Not impacted

2.1.3. Fleet Telematics API

Not impacted

2.1.4. On-Street Parking API

Not impacted

2.1.5. Off-Street Parking API

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.1.6. EV Charge Points API

Not impacted

2.2. Positioning

2.2.1. HD GNSS Positioning & A GNSS Positioning

Not impacted

2.2.2. Network Positioning API v1

Not impacted

2.2.3. Network Positioning API v2

Not impacted

2.3. Map Rendering

2.3.1. Map Image API

Not impacted

2.3.2. Map Tile API - Satellite Tiles

Not impacted

2.3.3. Map Tile API - Map Tiles

Not impacted

2.3.4. Map Tile API - Traffic Tiles

Not impacted

2.3.5. Vector Tile API

Not impacted

2.4. Real-Time Traffic

2.4.1. Traffic API v6

Not impacted

2.4.2. Traffic TPEG API

Not impacted

2.4.3. Traffic API v7

Not impacted

2.5. Routing

2.5.1. Isoline Routing API v8

Not impacted

2.5.2. Matrix Routing API v8

Not impacted

2.5.3. Route Matching v8

Not impacted

2.5.4. Routing API v7

Not impacted

2.5.5. Routing API v8

Not impacted

2.5.6. Waypoints Sequence v8

Not impacted

2.5.7. Routing Hybrid (mSDK 3.x) API

Not impacted

2.6. Geocoding & Search

2.6.1. Batch Geocoder API v6

Not impacted

2.6.2. Forward Geocoder API v6

Not impacted

Reverse Geocoder API v6

Not impacted

2.6.3. Geocoder Autocomplete API v6

Not impacted

2.6.4. Geocoding & Search API v7

Not impacted

2.6.5. Places (Search) API v6

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.7. Transit

2.7.1. Intermodal Routing API v8

Not impacted

2.7.2. Public Transit API v3

Not impacted

Public Transit API v8

Not impacted

2.8. Dynamic Content

2.8.1. Fuel Prices API

Fuel Price API has been patched to mitigate the issues identified in CVE-2021-44228.

2.8.2. Safety Cameras

Not impacted

2.8.3. Destination Weather API

Not impacted

2.8.4. Map Attribute API

Not impacted

2.8.5. Map Feedback API

Not impacted

2.9. Workspace & Marketplace

2.9.1. Logs

Not impacted

2.9.2. Monitoring and alerts

Not impacted

2.9.3. Pipelines

Pipeline Management Services are not impacted.

Pipeline Runtime environments:

• Pipeline Management services running in Pipeline Runtimes are patched to mitigate the issues identified in CVE-2021-44228.

• All Flink and Spark components are patched to mitigate the issues identified in CVE-2021-44228.

• Flink: Not impacted

• Spark: Not impacted

2.9.4. Platform Portal

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.10. Data

2.10.1. Read from Stream Layer

The service has been patched to mitigate the issues identified in CVE-2021-44228. 

2.10.2. Read from Versioned Layer

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.10.3. Read from Volatile Layer

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.10.4. Read Schemas

Not impacted

2.10.5. Write to Stream Layer

The service has been patched to mitigate the issues identified in CVE-2021-44228. 

2.10.6. Write to Versioned Layer

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.10.7. Write to Volatile Layer

The service has been patched to mitigate the issues identified in CVE-2021-44228

2.10.8. Write Schemas

Not impacted

2.11. Development Enablers

2.11.1. Data Hub API

The service has been patched to to mitigate the issues identified in CVE-2021-44228

2.12. On-Premise Service Applications

HERE's on premise customer software has been assessed against the issues identified in CVE-2021-44228 and, as supplied, does not contain software with this vulnerability. 

• Batch Geocoder API v6

• Fleet Telematics API services

• Geocoder API v6

• Geocoder Autocomplete API v6

• Java Script API 3.1

• Map Tile API

• Routing API v7

• Routing API v8

• Traffic API

• Wi-Fi positioning