June 8th @ 15:00am UTC - Update June 8th @ 18:00 UTC
Phishing Emails
Please be advised that Crownpeak had been made aware of a potential phishing email clients have been receiving from alerts-notification-noreply@evidonenterprise.com. This is a valid email and we apologize for the confusion. This email has been sent to all users that exist in the UCP platform so they can be given access to the new Analytics Reporting product. Unfortunately this email included some disabled users which was not intended, if these users try to reset their password they are not be able to log in because they are still be disabled. To access this platform, you need to be logged into your current UCP account, you are then able to navigate to analytics.evidon.com to see the new dashboard.
Spring4Shell Zero Day Vulnerability - 04.01.2022 12:00 pm MST
Zero-Day Exploit in Spring Framework | Spring4Shell
Crownpeak is actively monitoring the Spring4Shell zero-day CVE-2022-22965 vulnerability. Please see CVE-2022-22963 and CVE-2022-22965. Our operations team has performed a thorough review of internal systems and support applications to determine if Crownpeak systems contain any exposure to the vulnerability. These two vulnerabilities have been discovered almost at the same time and thus tend to get mixed up in the news although they have different attack vectors. At this time, no exploits have been identified while we continue to perform our investigation.
We are actively monitoring and managing the issue and have a team working on identifying potential risks in our software components and services. This article will be updated regularly to provide information about how the vulnerability affects Crownpeak and its ecosystem as well as details on how we handle the issue and what you can do to secure your systems.
Be aware that this vulnerability affects many applications as it's an issue in a framework widely used. The information contained in this article is thus... View full report
Log4j Zero Day Vulnerability Update – 12.14.2021 5:00 pm MST
Crownpeak is actively monitoring the Log4j2 Zero Day Vulnerability disclosedon December 9, 2021 (CVE-2021-44228). Log4j2 affects the Apache Log4j 2 project and any systems which have deployed the library into an application.
Our operations team performed a comprehensive review of internal systems and support applications to update or patch any affected systems. Updates on the review results have been posted to this thread. We continue to actively monitor the situation.
The majority of Crownpeak’s products were not affected by the Log4j2 Zero Day Vulnerability, as they are not written in Java, or do not use the Log4j library. The small subset of Crownpeak’s product components which leverage the Log4j library were affected have been identified and patched to eliminate the risk of exploit. Specific product details are listed below. Crownpeak will be continuing to monitor our systems as well as third party components related to this situation closely and report any additional updates.
DG – Privacy & Consent Management
No systems or components affected in the DG product set
