Fluxx experienced a notice incident on December 11, 2021 affecting Grantmaker and Grantmaker and 1 more component, lasting 3d 19h. The incident has been resolved; the full update timeline is below.
Affected components
Update timeline
- monitoring Dec 11, 2021, 03:23 AM UTC
You may have heard of a recently announced vulnerability in log4j, a popular logging package for Java programs. You can find technical details on this vulnerability at this page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228. While Fluxx uses some Java services, there is no impact to our clients identified at this point. Our team is actively monitoring our system for any suspicious activity and taking actions to mitigate potential risks. For updates please check back on this page. Thank you, Fluxx Product Team
- resolved Dec 14, 2021, 10:58 PM UTC
It was announced recently that Apache Log4j2 has a serious vulnerability that can result in an attacker performing Remote Code Execution on compromised servers. While Fluxx does have some java services, none of these use Apache Log4j2. Ancillary services that are used by Fluxx do use log4j2 and as soon as the vulnerability was announced, mitigating efforts were taken across the entire infrastructure to ensure that our infrastructure was secure. None of the services that are used by Fluxx that use log4j2 are internet facing, and further, we have put in place measures to eliminate the exploitation of the stated vulnerability. We are also actively working with our vendors to ensure that they are not compromised, and if/where they are using log4j2 to confirm that they also have mitigated the vulnerability or upgraded to fixed versions of log4j2