Platform Trust Center

Update: BigCommerce is not affected by this vulnerability.

On Oct 25, 2022 The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. This release should go live on Tuesday, November 1, 2022. Versions prior to 3.0.0 are confirmed as not vulnerable. BigCommerce has checked our own systems and tools for usage of vulnerable versions of OpenSSL. We will be on alert for any impacts when the vulnerability details are disclosed.

Reference:

• https://www.openssl.org/news/vulnerabilities-3.0.html
• https://blog.qualys.com/vulnerabilities-threat-research/2022/10/31/qualys-research-alert-prepare-for-a-critical-vulnerability-in-openssl-3-0

This advisory will be updated as new information is provided.

BigCommerce believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our applications. Good luck, and happy hunting!

Report your findings using the link on the footer of this page.

This Report is found under the 'Other Reports' tile. It is is a summary of BigCommerce’s data protection and transfer practices. This document is not legal advice and does not provide an exhaustive list of the protections maintained by BigCommerce. For the avoidance of doubt, the information provided in this document is BigCommerce confidential and proprietary information and can be shared only: (i) in relation to a legitimate business purpose; and (ii) subject to an appropriate confidentiality expectation or obligation.

BigCommerce operates as a PCI DSS Level 1 Service Provider and Level 1 Merchant, accepting online payments by card-not-present transactions only. Current PCI AOC Issuance Date: 6/13/2022. PCI AOC's are available from the 'Compliance' Tile/ PCI DSS Link

As a PCI DSS Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

GitHub revealed on 4/15/2022 that an attacker is using stolen user tokens (issued to Heroku and Travis-CI OAuth) to download data from private repositories. BigCommerce can confirm that we have conducted an internal investigation and we have no evidence of impact. BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

Reference: https://status.heroku.com/incidents/2413 https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

The PCI Security Standards Council published version 4.0 of the PCI Data Security Standard (PCI DSS) The updated standard and Summary of Changes document are available now on the PCI SSC website. https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

VIEW: “PCI DSS v4.0 At a Glance” an overview document on the changes to PCI DSS v4.0. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf

Published on 3/31/2022 BigCommerce became aware of a recently disclosed CVE-2022-22965 - “SpringShell” RCE vulnerability in spring-beans before 5.2.20/5.3.18, BigCommerce can confirm we have conducted an internal investigation and can confirm that we have no evidence that BigCommerce customers or internal employees have been targeted or impacted by this vulnerability.

BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

BigCommerce values the security of its services extremely highly and to this end we maintain appropriate industry accepted third party accreditation of our security controls and program.

Published on 3/31/2022 BigCommerce has been made aware of both the recent potential Okta security incident and the recent potential Microsoft security incident and is actively assessing the situation as events unfold.

​We have been in touch with OKTA and have no evidence of impact to BigCommerce. We have researched the Microsoft issue and found no evidence of impact to BigCommerce. We continue to monitor the situations closely and will provide updates where we have updates available to us.

OKTA Statement: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ Microsoft Statement: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

The US Cybersecurity & Infrastructure Security Agency provides guidance for organizations to prepare for, respond to, and mitigate the impact of cyber attacks during this period of unrest. https://www.cisa.gov/shields-up

SECURITY NOTICE (click to expand): about the recently disclosed Log4j vulnerabilities, references: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://logging.apache.org/log4j/2.x/security.html and: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

Exploits related to vulnerabilities affecting Apache’s Log4j, known as "Log4Shell" and "log4shell" were publicly disclosed on December 9, 2021.

There have been reports confirming that active scanning and exploitation attempts are occurring in the wild across a variety of Internet connected systems, separate and unrelated to BigCommerce systems.

BigCommerce has been working diligently to assess our internal systems and 3rd party dependencies in order to mitigate what has become a ubiquitous vulnerability for attackers.

What is the impact? From our investigation no impact to our platform has been identified. Merchants and partners are strongly encouraged to assess their own environments for this vulnerability and remediate immediately.

Who is impacted? Versions of Log4j2 from 2.0-beta9 to 2.15.0, excluding 2.12.2 are affected by this vulnerability. An extensive list of responses from impacted organizations has been compiled here for greater context: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

What action is required for BigCommerce's customers? No action is required related to your BigCommerce store. However, if you have engaged a third party development partner or leverage 3rd party applications you are strongly encouraged to request confirmation that they are not vulnerable to the Log4j vulnerability.

Note: BigCommerce will not send you any code to upload to your site or require you to install anything on your computer or in your store