You may have heard about the zero-day vulnerability announced by Apache, which has impacted a number of companies across the globe. This newly discovered vulnerability allows for unauthenticated remote code execution.
Log4j is an open source Java logging library developed by the Apache Foundation. Log4j is widely used in server infrastructure, applications and in many digital services.
Xero takes a multi-layered approach to ensure that the security of our products and the platform it resides on are safe. Upon becoming aware of the vulnerability, Xero took immediate steps to strengthen the layers of defense that protect our critical functions against this potential vulnerability.
What does this mean for you?
During our assessment process, we identified that any app using Log4j (between versions 2.0 and 2.14.1) may be vulnerable. Those using Log4j with older versions of Xero’s Java SDK i.e. 3.x versions or below, are most at risk. If you’re using a newer version of Xero’s Java SDK, 4.0.1 it is recommended you verify which libraries you are using.
It is also recommended that you investigate and patch all your systems that use Apache Log4j, and determine whether you are potentially vulnerable.
Information is also available on the NZ CERT website here (NZ CERT is well regarded globally — different advisors globally will be providing their own advice and you should also obtain your own independent advice where appropriate).
We take the security of our customers’ data very seriously and will continue to keep our community updated on relevant information.