In June 2023, SQL injection vulnerabilities were identified in the MOVEit Transfer web application (CVE-2023-34362 and CVE-2023-35036). SFTP Gateway customers have reached out to us, asking about this issue.
SFTP Gateway is not affected by the MOVEit incident. MOVEit is a different product built by a different company, and is just one of many products in the file transfer space.
The CVE involves SQL injection sent via HTTP. SFTP Gateway does not have a web (HTTP) transfer feature, and only supports the SFTP protocol. So, this CVE does not apply.
Security recommendations for SFTP Gateway customers
You should check that ports 443 and 2222 are locked down to only system administrator IP addresses:
- Port 443: The web admin portal lets you manage SFTP users and map them to cloud storage locations.
- Port 2222: You can SSH to the OpenSSH service on port 2222 for server administration. Note: port 22 denies access to the SSH protocol.
Restricting access at the EC2 Security Group level will prevent any attempts to access these privileged ports.