Box Sync critical issue - log4j

New post

December 17, 2021 16:22

I saw your message that you found no compromising information re. log4j on the client. Scanning my local system with a current threat scanner tells me that Box Sync is using Apache log4net 1.2.13.0 which is considered Critical and must be fixed by an update. Any updates on Box Sync available? Thanks

Comments

4 comments

Official comment
France

December 17, 2021 20:44
Hi there,

Welcome to the Box Community!

On Dec 9th, 2021, security researchers published a report of a high risk "zero day" vulnerability (CVE-2021-44228) affecting a common software package (Apache Log4J). Box's security and engineering teams immediately began investigating the report and assessing our own systems for impact. At this time, there is no evidence that the Box Service and related systems were successfully exploited.

While we determined that there were a few vulnerable versions of the package within the Box Service and Infrastructure, Box generally uses a version that wasn't vulnerable. The limited occurrence combined with Box's pre-existing layers of defensive measures maintained for our extensive compliance certifications and industry best practices, prevented the exploitation of any vulnerable versions of Log4J.

While the instances of the vulnerability were not exploitable and limited, we quickly started and continue to patch services that contained the vulnerable package. As part of our response, we are taking the following additional steps:
- Extensively reviewed all patched services for malicious behavior prior to patch application and continue to verify our security posture of the patched environment with our typical security exercises, including our Bug Bounty program, external and internal penetration testings, red team activities, etc.
- Updated all our security devices with relevant Log4j signatures to detect and contain malicious activity related to this exploit where applicable.
- Continuously monitor and analyze logs after patching is complete.
- Keeping in touch with industry peers to collect intelligence and mitigation techniques to apply to our environment as needed.
- Additional internal patching will continue over the next few days as we continue to scan extensively our environment to discover any vulnerable version of the package.
- We are also in contact with our vendors as a part of our rigorous third-party risk management process to further assess any potential vulnerabilities or impact.
Protecting our customers' data is our top priority and at this time there is no action that you need to take in regard to the Box platform. If we identify any malicious activity that might impact your data, we will immediately notify and work with your teams. For any specific concerns, please reach out to support.box.com or visit the Box Trust Center to learn more about our approach to security, privacy and compliance.

Thanks again for your inquiries and we appreciate your partnership in this matter!
Comment actions Permalink
Box User

December 17, 2021 22:03

Edited
Thanks for the clarification, France. Can you explicitly confirm that your investigation includes your client software too? As I wrote, the client app Box Sync uses an outdated log4net module that triggered a security alert on several machines in my network. Thanks.
0

Comment actions Permalink
Erich Stephens

December 30, 2021 16:45
Noting that Box has _still_ not responded to the request for explicit confirmation that their log4j investigation includes the client software.

(And adding myself to the list of many users who are disappointed with Box's slow and not fully transparent response to this issue.)
0

Comment actions Permalink
MARK COOK

January 03, 2022 09:45
Hello community , my client has asked for confirmation that log4j has been removed or patched to the latest. Is it possible to provide this confirmation ? Many thanks..
0

Comment actions Permalink

Post is closed for comments.