Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1
CrashPlan Cloud
CrashPlan for Small Business
Instructor
Retired product plans

Find your product plan in the Code42 console on the Account menu.

Instructor, yes.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, yes.

Retired product plans, yes.

CrashPlan for Small Business, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Code42 response to industry security incidents

Overview

When other security and technology companies disclose breaches and other security events, we often receive questions about whether those incidents affect Code42 products and services. This page provides information about if and how major, widely publicized breaches affect Code42 products and services.

Code42 constantly reviews and analyzes any security incidents that could impact our customers, products, and services. In addition to the list below, there may be other security incidents that we are reviewing. Because security incident details provide sensitive information that could be used maliciously, we are unable to publish information about every incident we review.

If a security event affects Code42 products and services, we contact affected customers and issue a security advisory.

If you have questions or concerns, contact our Customer Champions for support.

Log4j library vulnerability

Summary 
  • Date: December 10, 2021 - ongoing
  • Organization / Product: Apache Log4j
  • Incident: Apache announced multiple vulnerabilities within the Log4j library. 
  • Affected Code42 components:
    • Code42 cloud: Updated to Log4j 2.15 on December 15, 2021
    • Code42 app for Incydr Basic and Advanced and CrashPlan Cloud product plans: Updated Log4j from 2.16.0 to 2.17.1 on January 18, 2022
    • Code42 User Directory Sync (UDS): Updated to Log4j 2.15 on December 15, 2021
    • On-premises Code42 server: Mitigated from Log4j vulnerabilities by following these steps
    • On-premises Code42 app: Updated to Log4j 2.16 on December 17, 2021
  • Not affected:
    • Code42 app for Incydr Professional, Enterprise, and Horizon product plans
Code42 impact
Date Update

January 18, 2022

2:00 pm ET

Code42 products and services

Code42 released app version 8.8.2, which updated the Log4j library from version 2.16.0 to 2.17.1 to further mitigate CVE-2021-45105, CVE-2021-44832, and CVE- 2021-45046. Customers with delayed client upgrades are encouraged to review settings and update immediately

December 20, 2021

2:40 pm ET

All deployments for Log4j 2.17

  • We will continue to apply additional patches for Log4j as they are released. Based on NIST guidelines as of December 20, 2021, Log4j 2.17 updates will be made as part of ongoing patch cycles in January 2022. Code42 will adjust planned upgrade cycles should requirements and guidelines change.

Additional context for Code42's approach to updating to Log4j 2.17

  • The vulnerability outlined in 2.16 references an attack with control over Thread Context Map data to cause a denial of service. 
    • Code42 products and services do not provide a way for an attacker to control Thread Context Map data.
    • Code42 products and services do not use any non-default logging patterns involving the Thread Context Map, which is required for exploitation.
  • Code42 has completed Red Team attacks and have engaged with security researchers via our bug bounty program to ensure we are not vulnerable to what is being described within Log4j version 2.16.

Cloud deployments for Log4j 2.16

December 17, 2021

4:45 pm ET

In line with guidance from CISA and NIST, Code42 is in the process of applying Log4j 2.16 to its products and services according to an accelerated timeline. Based on extensive testing, we do not believe that Code42 products and services are susceptible to risk presented by CVE- 2021-45046 once all currently available patches and mitigations as documented below have been implemented.


Current timeline for updating to Log4j 2.16:

 

On-premises deployments

Cloud deployments

  • Code42 app - Timeline for update currently being determined; updates to be provided the week of December 20, 2021
  • Code42 cloud and services - Timeline for update currently being determined; updates to be provided the week of December 20, 2021
December 16, 2021
10:25 am ET

Code42 products
Code42 released updates to the Code42 cloud infrastructure with an updated version of Log4j that mitigates the CVE-2021-44228 vulnerability.

 

Customers were made aware of the cloud infrastructure and Code42 app version 8.8.1 update via the Code42 Community and direct email.

December 15, 2021
2:40 pm ET

Code42 services
Code42 released User Directory Sync (UDS) version 1.6.3 with an updated version of Log4j that mitigates the CVE-2021-44228 vulnerability.

 

Most Code42 customers do not have access to or use the UDS service, but affected customers were emailed directly at approximately 10:30 pm ET on December 14th, 2021, with upgrade instructions and download links to the new UDS version. If you need assistance applying the UDS upgrade in your environment, contact our Customer Champions for support.

December 15, 2021
8:45 am ET

Updated December 17, 2021 at 5:35 pm ET with additional details:

 

Additional context for Code42 approach to updating to Log4j 2.16

  • We have completed Red Team attacks and have been engaged with security researchers via our Bug Bounty program to ensure we are not vulnerable to what is being described in CVE-2021-45046.
  • Our agent and cloud services have a common lib-logging library which wraps our usage of Log4j. This constrains our usage down a standard path (default configuration) that does not utilize any of the vulnerable methods (ThreadContexMap, Logger.printF, or the other formattable stringBuilder) found to date.
  • We were previously and are currently running a JVM version of 11.0.1 or higher which mitigates against many of the RCE known exploits.
  • We have completed a scan of our code to ensure it does not use non-standard configurations which are outlined as part of the attack path for this vulnerability.
  • Many of the reported “bypass” attempts require either other known vulnerable dependencies be loaded or opt-in to known vulnerable configurations. We have confirmed our products are not vulnerable to the “bypass” exploits reported to date.

 

Updated December 16, 2021 at 1:10 pm ET with additional details:

After Log4j version 2.15 was released and applied to Code42 products, a newer Log4j version (2.16) was released that remediates additional vulnerabilities. We have assessed version 2.16 and determined it does not remediate vulnerabilities in Code42 products. Therefore, we will not be doing an emergency patch to apply Log4j 2.16 because version 2.15 addresses the critical vulnerability. Version 2.16 addresses a very specific edge case related to a logging configuration that we do not use in our products.


As always, we will be monitoring for updated versions and apply those versions as necessary.

December 14, 2021
5:12 pm ET

Code42 products and services
Code42 has released app version 8.8.1 to mitigate CVE-2021-44228 (Log4j vulnerability). Customers with delayed client upgrades are encouraged to review settings and update immediately. Code42 is planning for additional updates to the Code42 cloud later this week.

 

If you’re an on-premises customer and need additional details regarding mitigation, see Log4j vulnerability remediation steps for on-premises Code42 servers. We will provide additional updates regarding further mitigation for on-premises customers later this week.

December 13, 2021
7:45 pm ET
Code42 is working toward a patch to mitigate CVE-2021-44228 that will be available by the end of this week (December 17, 2021).

December 13, 2021

3:25 pm ET

Code42 products and services
Code42 is continuing to review the impact of CVE-2021-44228 (Log4j vulnerability) beyond remote code execution (RCE). We are working through applying the latest version of Log4j in all impacted areas of our product. 
 
Once updates are fully applied, additional messaging will be provided here as well as via email to all customers. 
 
If you’re an on-premises customer and need additional details regarding mitigation, see Log4j vulnerability remediation steps for on-premises Code42 servers.

December 10, 2021

7:30 pm ET

Code42 services
Code42 User Directory Sync uses a Log4j version that is vulnerable to CVE 2021-44228; most Code42 customers do not have access to or use this service. If configured according to Code42 guidelines, this service is not accessible to the public internet and therefore has mitigation in place. If you are concerned about this vulnerability in your environment, please contact support at https://gethelp.code42.com/ for further information. In the coming weeks, Code42 will provide an update to Code42 User Directory Sync that will use a Log4j version that is not vulnerable to CVE 2021-44228.
December 10, 2021
4:45 pm ET
(original message)

Code42 product 
Code42 does use Java within Code42 products, but current releases of all affected services and agents leverage a JVM (Java virtual machine) version higher than 11.0.1, which prevents the remote code execution vulnerability from execution. As a further point of mitigation, Code42 will update to the latest patched version of Log4j as part of future product releases.

In addition, Code42 does not leverage Apache Tomcat or Apache Struts components as part of our products.

 

Code42 internal corporate applications 
Code42 also leverages Java on specific internal corporate applications. These applications are currently being reviewed for potential impact and are scheduled for patching.

Previous industry incidents 

Date Organization / Product Incident Code42 impact
July 2, 2021 Kaseya VSA remote management service

Kaseya was struck by a ransomware attack, which spread to an estimated 1,500 businesses around the world. It is believed that attackers exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company says is used by 35,000 customers. 

Code42 does not use Kaseya products. There is no known impact to Code42’s products or services as a result of this attack.
June 30, 2021 Microsoft Windows Print Spooler service

A vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service, known colloquially as PrintNightmare, allows an attacker to remotely execute code with system level privileges. A threat actor exploiting this vulnerability can compromise the entire identity infrastructure of a targeted organization.

 

References:

Code42 products are not vulnerable to this threat. If you are a Code42 customer, your Code42 environment is not affected.

 

However, Code42 does use affected Microsoft Windows technology in our internal corporate environment. We have taken the appropriate steps to mitigate this vulnerability.

 

Between June 30 and July 9, Code42 took the following actions:   

  • June 30 - Disabled Print Spooler functionality where possible on impacted devices, including putting in place file system access restrictions for one server where the spooler service was operationally necessary
  • July 6 - Updated system monitor configurations and logging
  • July 8 - Applied Microsoft patches 
  • July 9 - Configured registry settings via group policy for disabling point and print
April 20, 2021 Pulse Connect Secure (PCS 9.0R3 and higher)

A vulnerability was discovered in Pulse Connect Secure (PCS). This vulnerability includes an authentication bypass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.

Code42 does not use Pulse Connect Secure. There is no known impact to Code42’s products or services as a result of this vulnerability disclosure.
April 20, 2021 SonicWall Email Security

Three zero-day vulnerabilities in SonicWall’s Email Security (ES) product were found exploited in the wild. These vulnerabilities were executed together to obtain administrative access and carry out code execution on a SonicWall ES device. 

Code42 does not use SonicWall Email Security. There is no known impact to Code42’s products or services as a result of this vulnerability disclosure.
March 10, 2021 F5 Networks BIG-IP and BIG-IQ F5 announced 21 CVEs, including four critical vulnerabilities. These vulnerabilities could allow for remote command execution. Alongside disclosure of the vulnerabilities, F5 Networks issued patches for both the BIG-IP and BIG-IQ platforms Code42 does not use F5 Networks’ BIG-IP or BIG-IQ. There is no known impact to Code42’s products or services as a result of this incident.
March 8, 2021 Verkada

An entity calling itself APT69420 claims to have gained unauthorized global access to Verkada’s security camera and facial recognition system. The third-party was able to view video feeds and facial recognition data for numerous large customers of Verkada’s surveillance system product. This breach was independently verified by Bloomberg and involved access using a super-user account.

Code42 does not use Verkada. There is no known impact to Code42’s products or services as a result of this incident.
March 2, 2021 Microsoft Exchange

Microsoft announced that hackers working on behalf of the Chinese government were actively exploiting 0-day vulnerabilities in on-premises Microsoft Exchange servers.

 

Microsoft issued emergency patches and urged all customers with on-premises Exchange to immediately patch their systems.

 

The Exchange vulnerabilities have been assigned the following CVEs: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858CVE-2021-27065.

Code42 does not use Microsoft Exchange. There is no known impact to Code42’s products or services as a result of this incident.
February 1, 2021 Accellion FTA Accellion identified a concerted cyber-attack against their legacy FTA product. Accellion patched the actively exploited vulnerabilities and worked until January 2021 to identify and patch additional undiscovered vulnerabilities.

Code42 does not use Accellion technologies. There is no known impact to Code42’s products or services as a result of this incident.

December 13, 2020 SolarWinds Malware inserted into a service that provided software updates for the Orion platform Code42 does not use SolarWinds Orion. There is no known impact to Code42’s products or services as a result of this incident.

Other resources

  • Was this article helpful?