Platform Trust Center
SECURITY NOTICE about the recently disclosed Log4j vulnerabilities, posted on Trust Center Updates, below (click to expand) BigCommerce's core Software as a Service (SaaS) offering is a cloud-hosted online storefront, a cloud hosted checkout process, and a back-end administration portal for merchants to manage customers, products, orders, and other standard business operations, as well as Application Programming Interfaces (APIs) to support these processes.
BigCommerce has implemented best-in-class security practices to keep customer data safe.
Trust Center Updates
SECURITY NOTICE: about the recently disclosed Log4j vulnerabilitiesPublished at 12/28/2021, 5:09 PM
SECURITY NOTICE (click to expand): about the recently disclosed Log4j vulnerabilities, references: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://logging.apache.org/log4j/2.x/security.html and: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
Exploits related to vulnerabilities affecting Apache’s Log4j, known as "Log4Shell" and "log4shell" were publicly disclosed on December 9, 2021.
There have been reports confirming that active scanning and exploitation attempts are occurring in the wild across a variety of Internet connected systems, separate and unrelated to BigCommerce systems.
BigCommerce has been working diligently to assess our internal systems and 3rd party dependencies in order to mitigate what has become a ubiquitous vulnerability for attackers.
What is the impact? From our investigation no impact to our platform has been identified. Merchants and partners are strongly encouraged to assess their own environments for this vulnerability and remediate immediately.
Who is impacted? Versions of Log4j2 from 2.0-beta9 to 2.15.0, excluding 2.12.2 are affected by this vulnerability. An extensive list of responses from impacted organizations has been compiled here for greater context: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/
What action is required for BigCommerce's customers? No action is required related to your BigCommerce store. However, if you have engaged a third party development partner or leverage 3rd party applications you are strongly encouraged to request confirmation that they are not vulnerable to the Log4j vulnerability.
Note: BigCommerce will not send you any code to upload to your site or require you to install anything on your computer or in your store