Ordergroove incident

Apache Log4j 2 vulnerability

Notice Resolved View vendor source →

Ordergroove experienced a notice incident on December 13, 2021 affecting APIs, lasting 4d 3h. The incident has been resolved; the full update timeline is below.

Started
Dec 13, 2021, 07:55 PM UTC
Resolved
Dec 17, 2021, 11:20 PM UTC
Duration
4d 3h
Detected by Pingoru
Dec 13, 2021, 07:55 PM UTC

Affected components

APIs

Update timeline

  1. monitoring Dec 13, 2021, 07:55 PM UTC

    Ordergroove is aware and actively following the security vulnerability in the open-source Apache “Log4j 2" utility. Log4j is a Java-based logging utility found in a wide number of software products. The CVE-2021-44228 vulnerability (aka the “Log4Shell” vulnerability) was disclosed by the Apache Log4j project. If exploited, this vulnerability could potentially allow a remote attacker to execute code on the server. Below is the full description of the CVE in the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 When the vulnerability was publicly published on December 10, 2021, Ordergroove promptly began an audit of all our software, infrastructure, as well as engaging with our software vendors to determine potential impact. Thus far, Ordergroove's platform is not exposed to this vulnerability, but we continue to evaluate the impact of this vulnerability with all our software vendors. If Ordergroove becomes aware of any unauthorized access to customer data, we will notify impacted customers without undue delay. This page will be updated over the coming days as more information becomes available.

  2. monitoring Dec 15, 2021, 07:18 PM UTC

    We are continuing to monitor the situation and following up with our software vendors for updates. Thus far, we have no reason to believe that Ordergroove has been exposed at any point by the Log4j vulnerability (CVE-2021-44228) but we will take appropriate remediation actions and notify any affected customers should we identify any Ordergroove products or services that have been exploited by this vulnerability. Thanks for your patience!

  3. resolved Dec 17, 2021, 11:20 PM UTC

    Ordergroove constantly strives to deliver the best service and security to our customers. At this time, there have been no compromises or successful exploits observed in Ordergroove products and services. Should anything change, we will take appropriate remediation actions and notify any affected customers. At this time, we have no reason to believe that Ordergroove products and services were impacted by the Log4j 2 vulnerability.