- A serious vulnerability in a piece of software called Apache Log4j has recently been revealed
- It affects software, servers and systems around the world that are running the Java framework
- Fellowship’s web hosting partners have already patched any servers where Apache Log4j is installed (there weren’t many!)
- WordPress and its plugins are very unlikely to be at risk from this vulnerability
- You should update software on your local devices as a matter of priority
- You should check that your other IT / software / systems providers have taken all necessary measures
Apache Log4j is installed on many servers around the world and can also be installed on desktop PCs and other devices that require the Java framework for some aspect of their functionality. This could be as part of the operating system (OS) or an application that runs within the OS. This could also be a bespoke application such as the software than runs your internet router.
Fellowship have been assured by all of our web hosting partners that any of their servers where Apache Log4j is installed have all been patched with the updated version (2.15.0). So, if your website is hosted by Fellowship, its server is all good. Furthermore, the parts of your website that Fellowship are directly responsible for (usually a bespoke WordPress theme and, possibly, some bespoke plugins), do not use the Java framework so would not have been using the vulnerable version of Apache Log4j anyway.
In addition to this, the WordPress core itself has no reliance on the Java framework whatsoever – they are both written in completely different programming languages. There is also no good reason why any third-party WordPress plugin would ever need to interact with Java either.
Due to the severity of the Log4Shell (CVE-2021-44228) vulnerability, IT and other software / service providers are, almost certainly, updating their own systems where necessary. We would, therefore, encourage you to liaise with any of your other third-party IT / software / systems providers to satisfy yourself that they have taken any measures required of them. This might include your IT company, cloud system providers (EG CRM or email marketing systems) and integration partners (EG payment gateways).
NB: inline with GDPR regulations, you should have a list of these providers as they are, most likely, also third party data processors.
Finally we would encourage you to take the opportunity, as we are, to ensure that any software running on your local IT infrastructure is updated wherever necessary. As mentioned earlier, the Java framework is often installed on desktop / laptop PCs as well as internet routers and other such devices. Therefore, any prompts for updates that you see on these devices should be actioned as a matter of high priority. Java isn’t technically available on either iOS or Android devices but it can be compiled within other apps so, as always, try and keep these devices bang up to date too.
Some useful links:
- Finding applications that use Log4J – a, probably not exhaustive, list of affected software and systems affected by Log4Shell (CVE-2021-44228) vulnerability
- Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
- National Cyber Security Center article on the Log4Shell (CVE-2021-44228) vulnerability