On 9 December a vulnerability was published in a piece of software called Log4J (CVE 2021-44228) This is a popular library used in many Java applications, including enterprise applications, and some cloud services, for recording log messages.
The vulnerability in Log4J means that, when specific log messages are recorded, it is possible to execute code from a remote location as well. This is easy to exploit and is now being actively used by malware and ransomware writers.
Reward Gateway does not use Java and is not directly affected by this vulnerability.
At Reward Gateway, our external facing applications are not written or developed in Java and we do not use Log4J in the delivery of services we control.
We are also continually monitoring for vulnerabilities using software composition analysis (among other tools) and have observed no change in relation to this CVE.
Reward Gateway is working with suppliers on any necessary action.
We do rely third-party suppliers to provide our services and they may be impacted. We are working with these suppliers to validate that they are not affected and, if necessary, they are taking the required action to mitigate this CVE.
As of 15/12/2021, we have confirmed all our subprocessors have either patched or are not vulnerable to this exploit.