Get the Latest Updates and Responses From Cvent
Spring4Shell
Updated: April 1, 2022
Cvent has been investigating recent reports of CVE-2022-22965, the 0-day Remote Code Execution (RCE) vulnerability in the Spring software framework, and can confirm that we have successfully mitigated the risk associated with this issue. A limited number of Cvent applications run the Spring framework and product engineering teams have been mobilized to remediate the issue. We expect that all relevant product components will be updated to Spring Framework versions 5.3.18 or 5.2.20 by April 16, 2022. Most important, however, Cvent has successfully implemented safeguards across our platforms that detect and block potential exploitation attempts that may target this weakness. These safeguards, along with other defense-in-depth security capabilities, effectively mitigate risk associated with this issue in order to protect Cvent systems and customer data.
log4j Vulnerabilities
Updated: February 7, 2022
This update constitutes Cvent's final customer notification regarding our security posture related to the Apache log4j vulnerabilities discovered in December of 2021:
As of early January 2022, Cvent has updated all critical customer systems to either log4j versions 2.17 or 2.17.1. In circumstances where systems have been updated to log4j version 2.17, Cvent has maintained multi-layered compensating controls to substantially mitigate the risk of exploitation of CVE-2021-44832 (the inherently lower-risk vulnerability in log4j version 2.17).
Even though the risk of exploitation is mitigated across the board, Cvent still aims to update the remaining 2.17 versions of log4j to 2.17.1 via our normal security patching cadence. Per our internal service level objectives, this means that the remaining systems will be updated by the end of March 2022.
Updated: December 29, 2021
Cvent has been aware of, and actively responding to, the recently disclosed log4j security vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and now CVE-2021-44832. As of this update, Cvent has updated all product software and critical systems to log4j version 2.16.0 and is now updating to versions 2.17.1.Our response strategy to the log4j vulnerabilities has consisted of three execution priorities:
- Threat Intelligence - We engaged our security threat intelligence and monitoring partners to learn all we can about the vulnerability as well as threat actor techniques and technical indicators of potential attack. We’re continuing this research and monitoring to inform and enhance our ongoing response.
- Technical Safeguards - Leveraging the above intelligence, our Technology team has instrumented various security systems and multi-layered safeguards to identify, detect, block and/or rapidly investigate potential exploitation attempts. Enhancements to these safeguards will be done as we learn of any new attack patterns, techniques, or technical indicators of potential attack. Cvent has not suffered any adverse effects from threat actors at this time.
- Updating Vulnerable Software / Systems – As mentioned above, Cvent has updated all product software and supporting infrastructure to log4j version 2.16.0. We are also updating critical systems to log4j versions 2.17.1 to address the most recently publicized denial of service and remote code execution weaknesses (CVE-2021-45105 and CVE-2021-44832, respectively). Risk to our platforms and customer data of these most recent vulnerabilities is substantially mitigated by specific conditions that must be present to exploit these vulnerabilities as well as the effectiveness of Cvent’s multi-layered security safeguards. Unless these two vulnerabilities increase in severity, Cvent will be addressing these vulnerabilities within upcoming maintenance releases of our products and supporting platforms.
Updated: December 20, 2021
Cvent has been aware of, and actively responding to, the recently disclosed log4j security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105). As of this update, Cvent has updated all product software and supporting systems to log4j version 2.16.0 and is actively updating to version 2.17.0, an effort we expect will be completed by December 31, 2021, if not sooner.
Our response strategy to the log4j vulnerabilities has consisted of three execution priorities:
- Threat Intelligence - We engaged our security threat intelligence and monitoring partners to learn all we can about the vulnerability as well as threat actor techniques and technical indicators of potential attack. We're continuing this research and monitoring to inform and enhance our ongoing response.
- Technical Safeguards - Leveraging the above intelligence, our Technology team has instrumented various security systems and safeguards to identify, detect, block and/or rapidly investigate potential exploitation attempts. Enhancements to these safeguards will be done as we learn of any new attack patterns, techniques, or technical indicators of potential attack. Cvent has not suffered any adverse effects from threat actors at this time.
- Updating Vulnerable Software / Systems – As mentioned above, Cvent has updated all product software and supporting infrastructure to log4j version 2.16.0. We are also actively updating to log4j version 2.17.0 to address the most recently publicized denial of service weakness (CVE-2021-45105). As Cvent has technical factors and security controls in place that substantially mitigate the risk from this weakness to customer data and platforms, we expect the log4j version 2.17.0 update effort to complete by December 31, 2021, if not sooner.