On Friday, December 9, 2021, a new vulnerability was disclosed in the Apache Log4j module. This was officially identified as CVE-2021-44228, and was unusual in that it was both easy to exploit and very common across the Internet.

Immediately after the disclosure, the CitNOW engineering team checked all the production systems and confirmed that Log4j is not in used on any CitNOW production servers. Log4j is commonly used in Java applications, and the CitNOW systems are not written in Java.

Shortly after the disclosure, the CitNOW compliance started the process of contacting all of our third party suppliers to establish if they are affected. This process is ongoing, but as of Tuesday 14th December, no third parties have declared that they remain vulnerable, or that they had any evidence of any attack.

For further reassurance, the CitNOW engineering team also ran a recently released penetration test to check for the vulnerability and nothing was found.