Box's statement on the recent Log4J vulnerability (CVE-2021-44228)

On Dec 9th, 2021, security researchers published a report of a high risk "zero day" vulnerability (CVE-2021-44228) affecting a common software package (Apache Log4J) that can allow remote code execution. Because Log4j is widely used across web applications and cloud service providers, the full scope of this vulnerability is complex and its impact is still being uncovered.

At this time, there is no evidence that the Box Service and related systems have been exploited. We believe our customers' content in Box remains safe and is unaffected by the Log4J vulnerability.

Box's security and engineering teams immediately investigated the vulnerability and are continuously assessing our own systems for potential impact. Box's pre-existing layers of defensive measures, maintained for our extensive compliance certifications and industry best practices, prevented exploitation of any vulnerable versions of Log4J in the specific cases we examined.

As part of our response, we also began patching instances of the vulnerable package and we are taking the following additional steps:

• Extensively reviewed all patched services for malicious behavior prior to patch application.
• Continuously monitor and analyze logs after patching is complete.
• Additional internal patching will continue over the next few days.
• We are also in contact with our vendors as a part of our rigorous third-party risk management process to further assess any potential vulnerabilities or impact.

We will continue to provide updates about the Log4j vulnerability as warranted. Protecting our customers' data is our top priority and at this time there is no action that you need to take in regard to the Box platform. For any specific concerns, please reach out to support.box.com or visit the Box Trust Center to learn more about our approach to security, privacy and compliance.