Thank you for being a valued Indico user! We’re constantly making updates to our app and APIs, working on new features, and ensuring our security is top of the line.  Have ideas on how to make our product even better – please let us know!

Innovations and Updates in v4.17:

Support for Native and Empty Password PDFs

• We now offer support for the ingestion of PDF encrypted with empty passwords. Password protected PDFs (say that three times fast) can be uploaded to Datasets without triggering errors or causing dataset upload failures.
• Native PDF handling updates are also included in this release.

Log4j Patches

• Patches have been made in IPA-4.11.7, IPA-4.13.3, IPA-4.14.1, IPA-4.15.2, and IPA-4.16.4  to correct security flaws brought on by the Log4j vulnerability. IPA-4.17.0 also addresses the vulnerability.

Frequently Asked Questions about Log4j: 

1. What is Log4j? Why does Indico Data use it?
   Log4j is a framework used to record user activity and application behavior for review.  It’s a widely used tool for collecting information in Java-based applications. Indico uses Log4j indirectly as part of a third-party tool in our metrics service. Indico’s metrics system is not openly accessible, nor is it accessible to most users without high-level cluster level access and permissions.
2. How high risk is the Log4j vulnerability for Indico customers?
   Based on the inaccessibility of Indico systems that leverage the Log4j library, this vulnerability is considered very low risk for Indico customers. Regardless, Indico Data’s dedicated team of engineers has responded to the information with an exceptional level of promptness and efficiency and has created patches to mitigate any vulnerability. All Indico customers will be contacted in the coming days for patch installations. If you would like your patch expedited, please contact your Indico Customer Success Manager.
3. Does the Log4j vulnerability affect users utilizing the Indico Data Java client library?
   If you’re using our Java client library, the risk is minimal. There are no references to the Log4j-core library used in any version of our Java client library. In all versions, we do reference Log4j-API, which is not known to be subject to the exploit. We recommend upgrading to 4.12.3+ in an abundance of caution to minimize the risk of this vulnerability affecting your systems.
   
   
4. How is Indico Data addressing the Log4j arbitrary code execution vulnerability?
   In late December 2021, another security Log4j vulnerability was discovered. This vulnerability requires configuration access of the logging library to be utilized maliciously. Therefore, this vulnerability is considered to be of much lower severity than the previous instances. The Indico Data team continues to monitor the situation diligently to ensure the security of our systems. Currently, there is no plan to produce an emergency patch, and any updates addressing this vulnerability will be done on the regular release cycle.

Updated on January 3, 2022 – Information in this post is subject to change as new information about the Log4j vulnerability develops.