Response to customers

FullStory's PSIRT has been tracking the announcement of CVE-2023-38545, a high-severity vulnerability impacting the open-source library, libcurl (patched in version 8.4.0). A blog post by the author of libcurl has shared specific details on the vulnerability and necessary circumstances that would allow for exploitation of this issue. Having reviewed the technical findings, FullStory has no exposure to this particular CVE. Patching of this issue will take place during regular patch management processes, as is the case with many other CVEs that are always being released.

Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard.

We are happy to say that our latest SOC2, Type 2 report is now available, and that it also includes HITRUST mapped controls.

The SOC2 + HITRUST report came out of an effort between the American Institute of Certified Public Accountants (AICPA) and the HITRUST Alliance in order to create a more efficient reporting structure that aligned their reporting frameworks and created a combined assurance program known as the SOC 2 + HITRUST.

The SOC 2 + HITRUST program maps between the Trust Services Criteria and the HITRUST CSF requirements and allows service organizations to be audited on controls from both sets of requirements that are included in a single report.

Response to customers

FullStory’s PSIRT has been tracking the announcement of the MOVEit by Progress Software Vulnerability since it was announced. Across our services, there is no usage of the MOVEit by Progress Software within our environment, FullStory has no active risk to this vulnerability.

MOVEit by Progress Software Vulnerability Background

To learn more on the background of the vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-34362.

Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard.

We are happy to say that we are now ISO 27701 (Privacy) certified!

Response to customers

FullStory’s PSIRT has been tracking the announcement of the Apache Commons Text Vulnerability since it was announced. Across our services, there is no usage of the Apache Commons Text Vulnerability (CVE-2022-42889) within our environment, FullStory has no active risk to this vulnerability.

Apache Commons Text Vulnerability Background

To learn more on the background of the vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-42889.

Response to customers

FullStory’s PSIRT has been tracking the announcement of the OpenSSL vulnerability impacting 3.0.0 - 3.0.6 since last week. Across our services, the presence of these affected versions of OpenSSL are limited to two utility services that are only internally-facing and do not directly operate our production platform. Now that the context of abuse cases related to CVE-2022-3786 and CVE-2022-3602 have been shared by the OpenSSL project, FullStory has no active risk to these issues. However, standard patching practices will upgrade to the unaffected 3.0.7 version when available by related projects, even though no real-world harm can be taken against them based on the technical details of these CVEs. It should also be noted that CVE-2022-3602 was downgraded from a ‘Critical’ to a ‘High’ by the OpenSSL maintainers due to the lack of likelihood for abuse after evaluation by independent parties.

OpenSSLV3 Vulnerability Background

To learn more on the background of the vulnerability: https://www.openssl.org/news/vulnerabilities-3.0.html.

Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard.

We are happy to say that our latest SOC2, Type 2 report is now available, and that it also includes HITRUST mapped controls.

The SOC2 + HITRUST report came out of an effort between the American Institute of Certified Public Accountants (AICPA) and the HITRUST Alliance in order to create a more efficient reporting structure that aligned their reporting frameworks and created a combined assurance program known as the SOC 2 + HITRUST.

The SOC 2 + HITRUST program maps between the Trust Services Criteria and the HITRUST CSF requirements and allows service organizations to be audited on controls from both sets of requirements that are included in a single report.

Response to customers

Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard.

FullStory does not use any Palo Alto services to deliver our product, and are not affected by this vulnerability.

Palo Alto DoS Vulnerability Background

To learn more on the background of the vulnerability: https://security.paloaltonetworks.com/CVE-2022-0028

Response to customers

Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard. FullStory was NOT one of the impacted customers of the Okta breach. Below is some additional information regarding the background, cause, and remediation steps we took regarding the Okta breach in order to maintain the trust you have in our company.

Okta Breach Background

To learn more on the background of the breach: https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/.

Okta’s Response

Okta detected an unsuccessful attempt to compromise the account of their third-party engineer. Okta alerted the third party provider, terminated the user’s active Okta sessions, and suspended the user’s account. Okta states there is no impact to Auth0, HIPAA, and FedRAMP customers.

Okta stated that the potential impact to customers is limited to the access that support engineers have. Upon conclusion of their third parties forensic exam Okta determined 366 customers were impacted.

FullStory & Okta Relationship Transparency Summary:

FullStory uses Okta as our single sign-on (SSO) provider. Using a SSO provider helps to streamline and secure access management for our employees to authorized systems and terminate their access upon job role change or if they exit the company. This in turn keeps our systems safe from unauthorized access or privilege creep, essentially where someone gets more access than they need when moving positions internally.

FullStory Response & Actions to Okta Breach

FullStory immediately contacted our Okta representative to inquire if we were one of the 366 customers that were impacted on March 22 2022. Okta confirmed that FullStory was not an impacted customer. FullStory independently confirmed that our systems were not compromised by completing the following additional steps:

1. Reviewed our Okta audit logs to our superuser/admin accounts to look for any suspicious activity.
2. Verified that no privileged accounts were created around the time of the suspected breach (January 21, 2022) that we did not create ourselves.
3. Conducted assessments of our critical third-parties. This included developing a due diligence questionnaire on breach response. After concluding our assessment we did not identify any of our critical third parties who were affected by the Okta breach.

Conclusion

FullStory was not impacted by the Okta breach. Further we did not discover any security issues and did not identify any of our critical third parties as being an Okta customer impacted by the breach.

Response to customers

Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information and protection of our services in the highest regard. FullStory did NOT find any indicators of compromise that would indicate a successful attack of our systems. Below is some additional information regarding the background, cause, and remediation steps we took regarding the Log4j vulnerability in order to maintain the trust you have in our company.

Log4Shell Vulnerability Background

On December 9, 2021, security researchers discovered a flaw in the code of a software library used for logging. The software library, Log4j, is built on a popular coding language, Java, that has widespread use in other software and applications used worldwide. This flaw in Log4j is estimated to be present in over 100 million instances globally. This vulnerability and associated attacks against it are being characterized as Log4Shell in the cybersecurity community.

The flaw, also known as a vulnerability by the security community, was rated a 10 out of 10 on the Common Vulnerability Scoring System, or CVSS, due to the potential impact that it can have if leveraged by attackers. Details of the vulnerability can be found in the National Vulnerability Database (NVD) under the heading CVE-2021-44228.

As of Dec. 14, researchers discovered that the fix developed for CVE-2021-44228 was incomplete and the vendor, Apache, released a new fix. On Dec. 17, two new issues were confirmed and the next day, Apache released another fix. We expect this cycle of vulnerability-fix vulnerability-fix will continue as attackers and researchers continue to focus on Log4j. For more information including recommended remediation actions and resources: https://www.cisecurity.org/log4j-zero-day-vulnerability-response

FullStory Response & Actions to Log4j

FullStory worked diligently to ensure that our environment is safe from exploitation and that we have deployed all mitigating measures possible. Keeping customer data safe is our highest priority and our security team is working hard to ensure it remains safe and secure.

Once we became aware of this vulnerability we immediately took steps to determine if our systems had been exploited by CVE-2021-44228. We had found no Indicators of Compromise within our infrastructure to suggest a successful attack had taken place.

In accordance with our defense in depth strategy, we deployed mitigations to prevent a successful attack. Below is a list of the mitigation actions we took:

1. Updated our web-application firewall (WAF) rules
2. Ensured our WAF agents were fully patched
3. Reviewed our code to ensure we were properly sanitizing user input within our application layer
4. Tested various permutations of the exploit’s payload against this layered defense
5. The code paths that would be vulnerable to this exploit are not exposed directly to the internet so any payloads must first pass through our layered defenses rendering them benign.
6. Created a Log4j questionnaire to send to our data processors and applicable third-parties in order to complete a security assessment.
7. Confirmed the security posture of our applicable third-parties and data processors in regards to CVE-2021-44228 was adequate.

Conclusion & Update

FullStory was not impacted by the Log4j vulnerability.

Currently we are patched against this vulnerability up to Log4j v2.16 and will continue to monitor the ecosystem for any new variations of this exploit to ensure we stay one step ahead of threat actors.

Completed assessments of our third-parties and data processors and found no non-compliance with remediation efforts or any parties that were vulnerable.

In regards to CVE-2021-45046, we performed an investigation and determined that our implementation was unaffected by this new variant of the Log4j vulnerability.

To protect against any potential future exploits see plan to roll out Log4j v2.17.1 on 1/12/22.

As an organization that is security conscious and values security, we are excited to announce the official launch of the FullStory Security Trust Center. By using this portal, you can request access to our compliance documents, review our standardized questionnaires such as the SIG and gain a general understanding of our security posture.

Over time, our team will be making changes to this portal as we implement new tools and processes in our environment. You can use the Subscribe button to receive email notifications for when our team has an important update, such as if we have an updated compliance report or if we have a status update regarding a major security vulnerability that has been recently discovered.

-The FullStory Security Compliance Team