Java Log4j vulnerability

3rd February 2022

On 9th December, a major vulnerability was found in Log4j, an open-source Java logging library developed by the Apache Foundation. It is widely used in many global applications and is present in many services, including some provided by Civica.

Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are affected. Version 2.17.1 was released on 27th December as a fix to the issue.

Civica’s technical experts are aware of the issue and have taken immediate steps to put in place protective measures. The company has a strong track record related to systems and data integrity and we are treating this matter very seriously with executive oversight.

We have put in place the necessary actions in relation to our software products in line with industry standards. This includes applying the required security patches and updates, and we will be sharing advice and guidance as necessary.

Civica has a range of infrastructure measures in place which have been configured to specifically detect and prevent attacks related to the Log4j vulnerability. These include systems providing automated intrusion detection/prevention and Security Incident Event Management. These systems are supported by our ISO22301 certified business continuity processes which include a dedicated Incident Response Team. We will ensure our infrastructure continues to be updated with the latest industry protections and fixes as they become available.