On Thursday, Dec 9, 2021, the Egnyte Security Team was made aware of a vulnerability in the common logging framework, Log4j. The vulnerability was assigned CVE-2021-44228.
Upon learning about this vulnerability and its potential impact, Egnyte immediately triggered our incident response process to identify if and where the Egnyte platform uses the vulnerable library across its products and infrastructure.
Here is the status breakdown for Egnyte Products:
- Storage Sync - Not affected
- Desktop App - Not affected
- Mobile Apps - Not affected
- Egnyte Platform (Connect + Secure & Govern) - Patched
- EgnyteGov - Patched
- Site Connector - Patched in version 2.7
- Internal infrastructure - Patched
- Turbo/ Smart Cache - Not affected
In addition to patching our products and infrastructure, Egnyte has reviewed all relevant historical logs and monitoring systems to confirm whether or not the vulnerability was already exploited against our products or infrastructure.
We have not detected any successful exploitation attempts, and our security team continues to monitor the situation actively.
Our vendor management teams are working with our supply chain to confirm their update status. Where applicable, we updated software to include vendor patches.
We continue to investigate these vulnerabilities and stay updated with community research. This page may be updated as needed.