On Friday, December 10, 2021, the United States Cybersecurity and Infrastructure Security Agency issued an alert about a vulnerability in Apache’s Log4j logging framework (CVE-2021-44228).
Our security and development teams have reviewed all of our code and internal systems and confirmed that the ClickTime service isn’t vulnerable to Log4j. We are actively monitoring this industry issue and reviewing all of our vendors and third-party services to determine if any of them use the vulnerable component and need to be updated.
We take the protection of our customers’ data very seriously. Updates will be posted to this thread at https://system.clicktime.com as additional information becomes available.
Updates
12/13/2021 03:00pm PT update: Our operations team identified one internal system monitoring tool whose vendor acknowledged it needed to be updated due to the Log4j (also known as Log4Shell) vulnerability. This system isn’t accessible to the public and thus wasn’t directly at risk but we have completed the update successfully. We continue to investigate our software and our vendors for any issues or updates needed.
12/14/2021 04:30pm PT update: Our security and development teams have reviewed all of our code and internal systems and confirmed that the ClickTime service isn’t vulnerable to Log4j.
12/15/2021 10:05am PT update: We continue to review all vendors, third-party software and third-party services we engage with to ensure that they are verifying and updating their systems as needed.