A few days ago security researchers discovered a flaw in a bit of open source software. This is not a rare occurrence. Software is constantly evolving, as are the attacks on the systems that use it. One of the beauties of open source software is that users are able to improve on it, including finding and fixing security issues. However the gravity of a security issue will vary dramatically depending on how serious the issue is and how many systems use the impacted software.
In the case of Log4J it’s very widely used so it’s a major headache for many companies. However for the most part neither ourselves nor our clients should be impacted (see below).
We’ve assessed our own systems and network and our technical team have published a short statement here.
Our internal software stack is open source and most of what we use is built around Python and PHP. We do use other scripting languages and we interface with 3rd party systems that run a very wide range of technologies, but nothing that our team uses is impacted.
Unfortunately some people seem to be confused about what this current issue impacts.
It does NOT impact the Apache web server.
Yes, Log4J is a project that’s part of the broader Apache Foundation, but they’re involved in a lot of different software applications that have absolutely nothing to do with web servers.
If you’re worried about this vulnerability there’s more details on it here and here with details on if and how various software and services were impacted. The National Cyber Security Centre has also issued an alert here (PDF).
Also, if you are using Open Source Software in your business think about how you can support the professional ongoing development of it.