ClickTime’s Response to Log4j Vulnerability

On Friday, December 10, 2021, the United States Cybersecurity and Infrastructure Security Agency issued an alert about a vulnerability in Apache’s Log4j logging framework (CVE-2021-44228).

Our security and development teams have reviewed all of our code and internal systems and confirmed that the ClickTime service isn’t vulnerable to Log4j. We are actively monitoring this industry issue and reviewing all of our vendors and third-party services to determine if any of them use the vulnerable component and need to be updated.

We take the protection of our customers’ data very seriously. Updates will be posted to this thread at https://system.clicktime.com as additional information becomes available.

Updates

12/13/2021 03:00pm PT update: Our operations team identified one internal system monitoring tool whose vendor acknowledged it needed to be updated due to the Log4j (also known as Log4Shell) vulnerability. This system isn’t accessible to the public and thus wasn’t directly at risk but we have completed the update successfully. We continue to investigate our software and our vendors for any issues or updates needed.

12/14/2021 04:30pm PT update: Our security and development teams have reviewed all of our code and internal systems and confirmed that the ClickTime service isn’t vulnerable to Log4j.

12/15/2021 10:05am PT update: We continue to review all vendors, third-party software and third-party services we engage with to ensure that they are verifying and updating their systems as needed.

TLS 1.0 and 1.1 Not Supported as of September 15, 2020

As previously announced, we will no longer support TLS (Transport Layer Security) versions 1.0 and 1.1 starting on September 15, 2020.

All supported browsers and operating systems already support TLS 1.2 so this should not affect any individual person’s ability to access and use ClickTime’s web and mobile apps. It’s possible, however, that some integrations or third-party solutions that interact with ClickTime in an automated fashion using our REST API, SOAP API or Excel Linking features may have been built on outdated technology that doesn’t support modern security standards.

For more information regarding TLS please see the following:

Why are we deprecating TLS 1.0 and 1.1?

We are deprecating TLS 1.0 and 1.1 to ensure ClickTime supports our customers and partners with safe and secure communication protocols. The use of TLS 1.2 is a recommended security best practice that provides a higher degree of privacy and data integrity over previous versions and to maintain compliance with the latest industry standards.

What you should know?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems and protect the confidentiality and integrity of information that passes between them. TLS 1.2 was published in 2008 to replace version 1.0 (published in 1999) and version 1.1 (published in 2006).

How can I track whether I’m impacted by this or not?

If your integration stops functioning after September 15, 2020, your integration or the system on which it’s running will need to get updated to maintain compliance with the latest industry standards.

What happens if my system doesn’t support TLS 1.2 and I don’t upgrade them?

If any of your integrations still require an older TLS version after these old versions are deprecated on September 15, 2020, those integrations won’t be able to connect to ClickTime.

If you have any additional questions, please contact ClickTime Support.

The ClickTime Team