In response to security incidents which have impacted other managed file transfer (MFT) providers over the past year, Redwood has significantly increased its security posture across all File Transfer products.
Recently, an independent cybersecurity firm disclosed to Redwood a vulnerability (CVE-2023-4528) in the JSCAPE binary management service that runs by default on port 10880 and is used by JSCAPE command line utilities and the legacy Java based management API. While most JSCAPE customers do not use this service - rather utilizing the REST administrative interface or command line utilities locally - we believe it essential to share this information with all customers.
What actions were taken by Redwood in response to this vulnerability?
When the vulnerability was disclosed, Redwood’s security and R&D teams acted quickly. Following standard procedures, they initially gathered a deep technical understanding and then worked to develop a patch to eliminate the vulnerability. The patch is now ready, has been through rigorous internal and third-party testing, and is available for customers to deploy.
Were there any customers impacted by this vulnerability?
We are closely monitoring and communicating with our customers. To our knowledge, none have been exploited. This vulnerability is relevant to customers that have explicitly set up port 10880 to be open to the public internet or who have a compromised internal network which would allow an adversary to exploit from within. After conducting a thorough scan looking for this configuration, we were unable to find any supported JSCAPE customers with 10880 exposed to the public internet. However, we recommend all customers confirm their own configuration in the administrative interface and upgrade to 2023.1.9.
Note: Port 10880 is not exposed in JSCAPE MFTaaS.
Actions customers need to take:
- Upgrade your instance(s) of MFT Server to version 2023.1.9: To upgrade, please follow the instructions provided in our online documentation. Release notes can be found here.
- Close port 10880 to the public internet: Ensure that external/public access to the binary management service port (typically 10880) that is used by JSCAPE command line utilities is blocked. Settings for this port may be found in the administrative interface under Settings > Manager Service > Manager Service. Note: The web-based administrative port, typically running on port 11880 (HTTP) and/or 11443 (HTTPS), is not subject to this vulnerability.
Please take action today to ensure the most secure JSCAPE experience possible.
We thank our customers for their prompt attention to this update. Earning their trust each day is essential and we consider security a pillar of our partnership. The Redwood support team (email@example.com) is available 24/7 to support all JSCAPE customers.