From XU Magazine, 
Online News

An important update on the Zero-day vulnerability in Apache

December 13, 2021

You may have heard about the zero-day vulnerability announced by Apache, which has impacted a number of companies across the globe. This newly discovered vulnerability allows for unauthenticated remote code execution.

Cloud Security Vectors by Vecteezy

Log4j is an open source Java logging library developed by the Apache Foundation. Log4j is widely used in server infrastructure, applications and in many digital services.

Xero takes a multi-layered approach to ensure that the security of our products and the platform it resides on are safe. Upon becoming aware of the vulnerability, Xero took immediate steps to strengthen the layers of defense that protect our critical functions against this potential vulnerability.

What does this mean for you?

During our assessment process, we identified that any app using Log4j (between versions 2.0 and 2.14.1) may be vulnerable. Those using Log4j with older versions of Xero’s Java SDK i.e. 3.x versions or below, are most at risk. If you’re using a newer version of Xero’s Java SDK, 4.0.1 it is recommended you verify which libraries you are using.

It is also recommended that you investigate and patch all your systems that use Apache Log4j, and determine whether you are potentially vulnerable.

Information is also available on the NZ CERT website here (NZ CERT is well regarded globally — different advisors globally will be providing their own advice and you should also obtain your own independent advice where appropriate).

We take the security of our customers’ data very seriously and will continue to keep our community updated on relevant information.

Why leave it there?

To keep up to date with the latest Xero news

Straight to your inbox

Subscribe to our newsletter for updates as they happen
We hate spam too. We NEVER sell our mailing list.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.