On September 27, 2023, Progress Software released patches (version 8.8.2 and 8.7.4) to address a group of security vulnerabilities. The patches are in response to the CVEs that were disclosed at that time. This document provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.
WS_FTP Server is a ubiquitous tool for transferring files securely within an organization. Many organizations of all sizes and industries use this technology, and as a result these vulnerabilities could have widespread implications.
Severity and Impact
CVE-2023 – 40044 has been designated as a Critical Severity Vulnerability, with other related vulnerabilities ranging between High and Low severity. If these vulnerabilities are exploited, they could lead to remote code execution (RCE) or directory traversal attacks.
The patches fix applicable security issues that affect WS_FTP Server versions lower than 8.8.2 and 8.7.4.
It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact to systems and remediate accordingly.
Step 1: Determine if you are at risk.
- If you or a third party are using WS_FTP Server, the system may be vulnerable to these CVEs.
- To assess whether your third parties are vulnerable, customers can access the WS_FTP Server Critical Vulnerability Questionnaire in the Whistic platform under our Questionnaire Standards Library by clicking here.
Step 2: Immediately patch systems that have been impacted.
- Make sure your team is aware of the Vulnerability and the subsequent patch releases on September 27, 2023.
- Determine which applications and infrastructure are using WS_FTP Server versions lower than 8.8.2 or 8.7.4.
- Update any vulnerable installations of the affected software.
Does this affect Whistic?
As a result of our investigation, we have determined that these vulnerabilities (CVE-2023 – 40044 and related) do not directly impact Whistic. While Whistic does not use WS_FTP Server software or technologies that are supported by it. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.