Apache Log4j2
Incident Report for Procore Technologies
Resolved
The Procore Information Security and Incident Response Teams continue to monitor the Log4J vulnerability situation per industry recommendations and best practices, which includes upgrading vulnerable packages to current and stable versions.

The Security Team is transitioning this incident from an active Incident Management exercise to part of our ongoing security monitoring program.

This will conclude the status updates from status.procore.com specifically related to this issue.

If there are any specific questions or concerns, please do not hesitate to reach out to your Procore POC or security@procore.com.
Posted Jan 13, 2022 - 09:24 PST
Update
Procore is also aware of the related vulnerability affecting Apache Log4j2 described at CVE-2021-45105
Like the previous vulnerabilities, Procore has seen no indication that this vulnerability has impacted the Procore platform’s security, and will continue to monitor the issue and mitigate as appropriate.
Posted Dec 20, 2021 - 08:55 PST
Update
Procore is also aware of the related vulnerability affecting Apache Log4j2 described at CVE-2021-45046

Procore has similarly seen no indication that this vulnerability has impacted the Procore platform’s security, and will continue to monitor the issue and mitigate as appropriate.
Posted Dec 15, 2021 - 11:39 PST
Monitoring
Procore is aware of the recently disclosed vulnerability affecting Apache Log4j2. Further details are available at CVE-2021-44228 and in Apache's Log4j2 post.

Procore has seen no indication that this vulnerability has impacted the Procore platform’s security. Procore is monitoring this issue, and will patch any identified instances of Log4j2.

We’ll post updates here as additional information becomes available.
Posted Dec 13, 2021 - 11:45 PST