Some of you might have seen the reports on critical vulnerabilities CVE-2021-44228 + CVE-2021-45046 in the Apache Log4j library. Part of the Apache Logging Project, Apache Log4j is one of the easiest ways to log errors, used by most Java developers, across the world. Popularly called LogJam or Log4Shell, CVE-2021-44228 + CVE-2021-45046 are Remote Code Execution (RCE) class vulnerabilities, which means attackers can remotely run malicious code within the target on the local network or over the Internet.
Upon learning about this vulnerability, the CleverTap security, infra and platforms teams quickly collaborated to address these customer critical questions:
1) Are CleverTap systems affected by this vulnerability?
2) Are systems/data for CleverTap customers protected?
In principle, most of our platform software is home grown, built from the ground up, essentially minimizing the dependency on third-party softwares. We use ‘monorepo’ to build and deploy our platform, and sfl4j and logback as core logging framework. Our web servers are also configured to use sfl4j as our logging framework.
While we don’t enable any third party software logging, we still went in and explicitly verified that log4j is not referenced anywhere – both at compile time and during runtime.
Our web infrastructure is protected by CloudFlare WAF (Web Application Firewall) that helps mitigate any vulnerabilities at the perimeter layer. We’ve also verified that the signatures are enabled and are actively blocking traffic that matches at the WAF layer.
CleverTap is not affected by the CVE-2021-44228 + CVE-2021-45046 vulnerabilities. We have taken all steps to verify and confirm that CleverTap customers’ data and systems are safe.