1/5/2022 Update: We have now remediated the Log4Shell vulnerabilities in our environment.
Your security is our highest priority at CallRail. As part of this commitment, we constantly monitor potential threats so that we can mitigate them before they become a problem. In that spirit, we want to make you aware of an emerging vulnerability that we are actively addressing.
What happened?
On Thursday, December 9, 2021, a remote code execution (RCE) vulnerability was disclosed in the Java library Log4j. This vulnerability is being tracked as CVE-2021-44228, and has been dubbed Log4Shell. If exploited, it could potentially allow a remote attacker to execute code on a target’s server.
What is CallRail doing?
Once we were made aware, CallRail promptly evaluated our environment and vendors to understand potential impact and to develop a methodical remediation plan. During the evaluation process we identified affected Log4j versions in our environment. We are currently working on remediating this vulnerability through patching and enforcing other compensating controls. We have ensured detective and preventive controls are in place to protect against possible exploitation of the impacted environment.
At the time of this post (12/16/2021), CallRail has not discovered any instances of exploitation of the Log4Shell vulnerability in our environment. We will promptly notify any impacted customers in the event CallRail becomes aware of unauthorized access to our environment.
How significant is this threat to the security of my data?
CallRail’s publicly-accessible infrastructure does not use Java or the Log4j library, so the risk of attack is low. However, some internal components were identified that are built in Java and use affected Log4j versions. These systems exist in private subnets that are not publicly accessible, and those systems have automated monitoring in place to alert our team of unexpected outbound network traffic.
We are not aware of any exploitable vectors in our own stack, but are remediating the threat immediately out of an abundance of caution.
Which sub-processors are affected by this vulnerability?
CallRail uses several sub-processors that may be impacted by this vulnerability. We are actively working on remediation for these components as well. At this time, we have not been made aware of any breaches resulting from this vulnerability.
What are the next steps for me and for CallRail?
CallRail will continue to update this page as the situation unfolds and we work to remediate this vulnerability.
You do not need to take any action at this time. We encourage you to please contact support should you need information beyond what is provided here or have any concerns about your security.
Thanks, CallRail Security
