Like many providers around the world, we became aware of a critical vulnerability in the Log4j software developed by Apache Software Foundation on Friday 10 December. This software is generally used in web server applications, and a zero-day attack exploit was discovered – referred to as CVE-2021-44228 or “Log4Shell” – impacting versions 2.0 to 2.14.1.

We quickly reviewed our systems within 24 hours, and identified that there were a few systems that could have potentially been affected. These included some servers running cPanel using a specific email search add-on and some dedicated customer servers running Java environments – both of which include the Log4j software.

Based on our investigation, we have not detected that any of our services were negatively affected by this exploit. We take proactive measures to protect all our systems, and many of these measures helped in this incident. For example, keeping as up-to-date as possible, ring-fencing servers by role – e.g. disabling email capability on a web server, only running environments such as Java if necessary for a service. This well-maintained and ‘only as required’ approach helps to reduce exposure to such vulnerabilities and the subsequent risks.

We continue to monitor the situation and are ready to act appropriately on any further relevant intelligence regarding “Log4Shell”. In addition, measures designed to defend against attempted activity related to this vulnerability have been implemented, such as further checking and manual updates to all servers, removal of the specific cPanel email search add-on, and updating Java environments.

Further information on this vulnerability is available from the National Cyber Security Centre.