Okta Data Breach
Updated: November 1st, 2023
Last week, the Cvent IAM Team received an email stating that we were not impacted by the security breach. However, Okta provided us with a list of IPs that were used by the attacker. We reviewed and audited our instance to confirm that we are indeed not affected.
Additionally, our representative has confirmed internally that our instance is not impacted.
WebP Vulnerability
Updated: November 1st, 2023
Cvent Product and Security teams have conducted an investigation into CVE-2023-4863 and CVE-2023-5129. During the investigation, it was discovered that the impacted library, libwebp, is not directly utilized by any of our products.
However, it is referenced internally (as a transitive dependency) by another library that is utilized by the Attendee Hub Mobile app (Cvent Event Mobile). It should be noted that this vulnerability is exploitable only for "webp" type images, which are not allowed within the Cvent Event mobile application.
Based on this analysis, we have determined that there is no immediate threat to the Cvent application or its users. As a precautionary measure, we are currently working on upgrading this instance in the upcoming mobile app release, which is tentatively scheduled for November 30, 2023.
Intel Downfall
Updated: Sep 5, 2023
Cvent's customer data is hosted and processed on AWS. Based on the messaging by AWS here AWS customer's data and instances are not affected by this issue and no customer (in this case Cvent) action is required. To our knowledge, Cvent's AWS systems containing customer data remain unaffected. Cvent also investigated the issue for our end user machines as well and did not find any unauthorized access.
For details on the vulnerability released, please click here.
MOVEit Transfer Web Application Vulnerabilities
Updated: May 23, 2022
Cvent does not use the MOVEit Transfer web application and is therefore not impacted by the security vulnerability referenced in CVE-2023-34362.
For details on the vulnerability released, please click here.
F5 Vulnerabilities
Updated: July 1, 2023
Cvent utilizes F5 systems within their environment and is aware of the CVE-2022-1388 BIG-IP iControl REST vulnerability that has recently been announced. As stated within the CVE, the vulnerability contains no data plane exposure and only affects the control plane. Cvent's configurations of the F5s in place do not expose the control plane to the internet. In addition, Cvent has patched all systems to version 13.1.5 as recommended by F5 as of 05/20/22, which in turn remediates this vulnerability.
For details on the vulnerability released, please click here.
Spring4Shell Vulnerabilities
Updated: April 1, 2022
Cvent has been investigating recent reports of CVE-2022-22965, the 0-day Remote Code Execution (RCE) vulnerability in the Spring software framework, and can confirm that we have successfully mitigated the risk associated with this issue. A limited number of Cvent applications run the Spring framework and product engineering teams have been mobilized to remediate the issue. We expect that all relevant product components will be updated to Spring Framework versions 5.3.18 or 5.2.20 by April 16, 2022.
Most important, however, Cvent has successfully implemented safeguards across our platforms that detect and block potential exploitation attempts that may target this weakness. These safeguards, along with other defense-in-depth security capabilities, effectively mitigate risk associated with this issue in order to protect Cvent systems and customer data.
For details on the vulnerability released, please click here.
log4j Vulnerabilities
Updated: February 7, 2022
This update constitutes Cvent's final customer notification regarding our security posture related to the Apache log4j vulnerabilities discovered in December of 2021:
As of early January 2022, Cvent has updated all critical customer systems to either log4j versions 2.17 or 2.17.1. In circumstances where systems have been updated to log4j version 2.17, Cvent has maintained multi-layered compensating controls to substantially mitigate the risk of exploitation of CVE-2021-44832 (the inherently lower-risk vulnerability in log4j version 2.17).
Even though the risk of exploitation is mitigated across the board, Cvent still aims to update the remaining 2.17 versions of log4j to 2.17.1 via our normal security patching cadence. Per our internal service level objectives, this means that the remaining systems will be updated by the end of March 2022.