BigID Security Bulletins
Last Updated: 04/01/2024

XZ Utils Security Notice

Vulnerability details

On Friday, March 29, 2024, security researchers discovered a malicious backdoor embedded within the compression utility XZ. This utility is widely used in Linux distributions, including those from Red Hat and Debian and is being tracked as vulnerability CVE-2024-3094. The known malicious code was found in versions ​​5.6.0 and 5.6.1, and consumers have been notified to downgrade to version 5.4.6 immediately. BigID has completed our security investigation process and can confirm that we are not impacted by CVE-2024-3094.

MongoDB Security Notice

Vulnerability details

On December 16th, MongoDB publicly announced they have suffered a security incident across their Corporate systems which was discovered on December 13th, 2023. This is still a developing story from MongoDB as they have engaged forensic firms and law enforcement to continue their investigation. In our commitment to transparency and security, we want to share that we, BigID, do leverage MongoDB Atlas for our cloud-based customers. It is important to note that MongoDB Atlas access is authenticated via a separate system from MongoDB corporate systems, and they have found no evidence that the Atlas cluster authentication system has been compromised. Based on information currently available, MongoDB Atlas is not impacted as they have not identified any security vulnerability in any MongoDB product as a result of this incident. However, we’re being proactive by staying up to date with their alerts page and updating this bulletin accordingly with any further updates provided by MongoDB.

Update: MongoDB Security Notice

On December 18th, Mongo updated the status of their security incident to be classified as a phishing attack with a high degree of confidence. They continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Their investigation and work with the relevant authorities is ongoing. MongoDB will update their alert page with pertinent information as we further investigate the matter. MongoDB did provide a list of Indicators of Compromise (IOCs) with relevant IPs from the Mullvad VPN service. BigID has conducted a retrospective investigation and saw none of these IPs communicating with the BigID Cloud service.

HTTP/2 Zero-Day Vulnerability

Vulnerability details

On October 12, 2023, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack. This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks. BigID has scanned our environment and although we do utilize this protocol, we leverage Cloudflare HTTP DDoS Attack protection and therefore there is no impact to BigID.

Okta Customer Support Management System Breach

Vulnerability details

In October 2023, Okta reported a security breach of its customer support management system where a small portion of its customer information was downloaded by a hacker.. In late November, Okta confirmed that contact information for all of their customers was compromised. Although BigID uses Okta for identity services, we also leverage multi-factor authentication for our critical systems. As a result, no customer environments or data were impacted by this breach.

Confluence Zero-Day Vulnerability CVE-2023-22515

Vulnerability details

On October 4, 2023, Atlassian announced a security vulnerability in its Confluence Data Center and Server software. BigID uses Confluence internally for collaboration and knowledge management; however, we leverage Atlassian-hosted Confluence Cloud which is not impacted by this vulnerability.

Datadog Import-in-the-Middle Vulnerability

Vulnerability details

On August 6, 2023, we were informed about a recent vulnerability discovered in DataDog, a service that many companies, including ours, use for monitoring. We take such announcements very seriously as they have the potential to impact our service, as well as your data security and privacy.

In response to this, our security team has been working diligently to assess our systems. We are pleased to report that an exhaustive review of all our codebase revealed no indications of the flags that would make our code susceptible to these vulnerabilities. Therefore, we are confident that our use of DataDog does not pose a threat to the security of our service or your data. However, in our commitment to transparency and security, we want to share that we are running versions of dd-trace, which do contain the vulnerabilities. These, under normal circumstances, may pose risks, but we have found no unsafe usage in our repositories.

As an additional measure, we are forwarding this information to all our development teams to ensure they are fully aware of the situation and perform the necessary actions to upgrade to versions that don’t contain the above mentioned vulnerabilities. We will continue to closely monitor the situation and will take all necessary steps to maintain the highest level of data security.

MOVEit Transfer Critical Vulnerability CVE-2023-34362

Vulnerability details

On June 1, Progress Software announced a security vulnerability in their MOVEit Transfer software, which is used to securely move files. This problem lets unauthorized people get into the software’s database and modify the information stored there. Luckily, BigID doesn’t use the MOVEit software, so we’re not affected directly. However, we’re being proactive by contacting our vendors to see if they use the software and if it could affect us indirectly. To date, none of our critical vendors have reported any issues that would affect BigID or our customers.