TL;DR – We are not exposed to Log4J but out of an abundance of caution, have blocked any attempts to exploit it.
Our official statement on Log4J from our Director of Compliance and Information Security, Greg Fowl:
Like many, Filestack has closely followed the developments surrounding the log4j vulnerability. As soon as information about the vulnerability became public, Filestack Engineering conducted a deep dive to determine if there was an impact to any of our applications. As part of that effort, Filestack examined all instances and containers to ensure that none of them employed log4j.
Next, as a part of our due diligence, an external vulnerability scan was conducted that was specifically tuned to detect the log4j vulnerability and nothing was found. Additionally, Filestack implemented a rule in our Web Application Firewall to block attempts to exploit the vulnerability, even though Filestack does not have the vulnerability. After implementing the firewall rule, we observed a blocked attempt to communicate with the Filestack application to try and exploit the log4j vulnerability.
Another tool that Filestack utilizes employs a patented Polygraph technology that takes millions of incoming data points, correlates them into behaviors, and detects all potential security events, allowing Filestack to focus on the critical security risks that need action. This tool has been tuned to detect and block bad actors that are attempting to exploit the log4j vulnerability.
Finally, Filestack conducted a second vulnerability scan but using a different tool than the aforementioned scanning tool and it also confirmed that Filestack’s application is not vulnerable to the log4j vulnerability.
Due to the widespread impact of this vulnerability, organizations are continuing to perform their due diligence to identify potential exposure and mitigate risk. As we continue to investigate across our technology stack and partner environments, we will provide updated communications should new information develop.
The security of the Filestack application and protection of our customer’s data is a high priority. For more details about our security practices, please see Filestack – Statement of Security Practices. If you have any questions, please let us know.
Greg Fowl, CISSP, CISA, CDPSE, AWS CCP
Director of Compliance and Information Security
Filestack is a dynamic team dedicated to revolutionizing file uploads and management for web and mobile applications. Our user-friendly API seamlessly integrates with major cloud services, offering developers a reliable and efficient file handling experience.
Read More →