BigID Security Bulletins
Last Updated: 8/09/2023

MOVEit Transfer Critical Vulnerability CVE-2023-34362

Vulnerability details

On June 1, Progress Software announced a security vulnerability in their MOVEit Transfer software, which is used to securely move files. This problem lets unauthorized people get into the software’s database and modify the information stored there. Luckily, BigID doesn’t use the MOVEit software, so we’re not affected directly. However, we’re being proactive by contacting our vendors to see if they use the software and if it could affect us indirectly. To date, none of our critical vendors have reported any issues that would affect BigID or our customers.

Datadog Import-in-the-Middle Vulnerability

Vulnerability details

On August 6, 2023, we were informed about a recent vulnerability discovered in DataDog, a service that many companies, including ours, use for monitoring. We take such announcements very seriously as they have the potential to impact our service, as well as your data security and privacy.

In response to this, our security team has been working diligently to assess our systems. We are pleased to report that an exhaustive review of all our codebase revealed no indications of the flags that would make our code susceptible to these vulnerabilities. Therefore, we are confident that our use of DataDog does not pose a threat to the security of our service or your data. However, in our commitment to transparency and security, we want to share that we are running versions of dd-trace, which do contain the vulnerabilities. These, under normal circumstances, may pose risks, but we have found no unsafe usage in our repositories.

As an additional measure, we are forwarding this information to all our development teams to ensure they are fully aware of the situation and perform the necessary actions to upgrade to versions that don’t contain the above mentioned vulnerabilities. We will continue to closely monitor the situation and will take all necessary steps to maintain the highest level of data security.