Apache Foundation Log4j 2 vulnerability
22nd December 2021
You will be aware from the recent NHSD cyber alert service notification, digital.nhs.uk/cyber-alerts/2021/cc-3989, that a critical vulnerability has been discovered in Apache Log4j 2, an open source Java package used by numerous apps and services across the internet. This is being tracked as CVE-2021-44228.
We can report that the majority of our third party, non-customer facing systems have now been checked, and are either unaffected, patched or have been mitigated. There are a very small number remaining, which we will continue to follow up with, but these present no risk and will not impact your services.
All customer facing systems have been verified, and are either unaffected, patched or have been mitigated.
We will communicate further should there be any change in our position, but we wanted to reiterate that we are confident that your System C systems remain secure.
If you have any questions, please contact us through the System C service desk as per usual.