On December 9, 2021, a zero-day remote code execution (RCE) vulnerability in a popular open-source Java logging library (Apache Log4j 2) was announced in a LunaSec blogpost. The security vulnerability goes by the name of Log4Shell and has since been assigned the Common Vulnerabilities and Exposures (CVE) reference of CVE-2021-44228. The range of software companies and service providers impacted by Log4Shell is quite expansive given the prevalence of Java technology and the popularity of Log4J.
On December 10, 2021, at approximately 3:00 pm Pacific Time (23:00 GMT), the incident response team at Vendavo notified Vendavo Cloud customers of emergency downtime patching and remediation efforts in response to the Log4Shell vulnerability. Those customers were again notified at the completion of patching and configuration updates. No breach of customer data or personal data was identified.
The remediation activities conducted over the course of the weekend, December 11 and 12, represented proactive efforts to avert and defend customer systems and data against the immediate threat posed by the Log4Shell RCE vulnerability. We continue to monitor all systems as standard procedure and will adjust our incident response if necessary.
The Information Security, Operations, and Engineering groups at Vendavo are aware of the vulnerability and actively conducting an in-depth review of all products and environments.
The following products underwent immediate remediation via configuration changes that effectively disabled the vulnerability, blocking any potential attacks. These products are also being patched with the latest version of the Log4j library (2.15.0), which disables the vulnerable code by default.
- EPS (Profit Analyzer, Price Manager, Deal Manager, Deal Guide, Price Optimization Manager, Business Risk Alerts)
The following products are not exposed to the vulnerability since they have no dependency on the afflicted versions of the Log4j library (2.0-beta9 to 2.14.1).
- Intelligent CPQ
- Deal Price Guidance & Deal Price Optimizer
- Margin Bridge Analyzer
- Sales Optimizer
- Commercial Analytics