Some customers have expressed concern about the vulnerability in a commonly used 3rd party library, Log4J. nShift was made aware of this vulnerability on Friday afternoon, December 10, 2021. We took immediate precautions and implemented mitigating and precautionary actions during Friday afternoon on the 10th of December. Our platforms show neither indications of being an easy target of this vulnerability nor any indications of any such exploits. We will continue to monitor as well as follow the news feeds to make sure that we stay proactive against this and related threats.
TMS/My Parcels:
We implemented and deployed a fix on Friday.
We are also going through all our 3rd party libraries and updating those to a version where this has been fixed. Monitoring continued.
Delivery/Checkout:
The products are not affected by this vulnerability in production, but we are going through all 3rd party libraries and updating those applicable. Monitoring continued. We fixed our internally affected software on Friday the 10th of December.
Transsmart:
The product is not directly affected by this vulnerability, but we are going through all 3rd party libraries and updating those applicable. Monitoring continued.
DeliveryHub (Consignor including Shipment Server, On-premises, and Portal):
DeliveryHub does not use Apache Log4j as a tool in the production environment and is not affected by the vulnerability.
Updates
December 17 - 2021:
- We have a CVE-2021-44228 security incident action list and mitigation guides to ensure secure and safe systems as we closely follow the progress related to this vulnerability and its potential further exploits.
- We have gone through and updated all occurrences of CVE-2021-44228 in all our applications and systems and will continue to do so if needed (for example if more exploits are found) for all our applications.
- We keep updating all 3rd party dependencies which in turn have a dependency to CVE-2021-44228 for all our applications.