On Thursday, December 9th, the Tradeshift security team was made aware of a vulnerability in the Log4J Java logging library. Tradeshift immediately implemented mitigations to protect services and to update and secure the platform. Additionally, Tradeshift teams worked to identify and set up alerts on indicators of compromise to ensure the vulnerability was not exploited. Within the first 36 hours, Tradeshift had mitigated the vulnerability across the platform by patching to the 2.15.0 version which is not affected by the vulnerability. Since then, further issues were detected in 2.15.0 and as of December 16th, we've patched our systems to use the latest 2.16.0 version.

At this time, no action is required and there is no evidence that the vulnerability was exploited between discovery and remediation