20Dec

Log4Shell / Log4j Vulnerability: Shireburn’s Response

The recent identification of the Log4Shell/Log4j vulnerability (CVE-2021-44228) has exposed many computer systems to significant security risks, including potential system hacking.

As part of our ISO 27001 certified processes, on identification of this vulnerability our team immediately commenced investigation of any potential risks to this vulnerability exposing us or our clients.

Immediately, Shireburn received requests from our clients to clarify our position on this vulnerability, and the following are probably the most frequently asked questions from our clients.

1. Does your organisation have any systems or infrastructure that are known to be affected by the recently announced Log4j vulnerability?
2. Has your organisation taken any action to asses the potential impact of the vulnerability on critical vendors, suppliers, or subcontractors?

These questions open up two areas for consideration:
1. Are any of Shireburn’s own software products vulnerable to the Log4j vulnerability?
2. Are any of the software products that Shireburn relies on to operate its business, such as billing systems, payment systems, CRMs, and so on, vulnerable?

Shireburn’s software products

Shireburn’s own software products, such as our Indigo, Payroll, HR and Time & Attendance solution, as well as the Shireburn Business Suite products like the Shireburn Financial Manager (SFM), the Shireburn Inventory Management System (SIMS) and the Shireburn Freight System (SFS), are not exposed to this vulnerability.

3rd Party solutions

Shireburn utilises a number of third-party developed software products to operate our business. These are identified in our published sub-processor’s list which forms part of our data protection policy.

We have undertaken an assessment of potential vulnerabilities of these third-party suppliers and are satisfied that we, and thus our clients, are not exposed to this vulnerability.

At Shireburn we take security seriously, as shown by our certification to ISO 27001, and we regularly assess our internal systems for all risks, including the latest Log4Shell vulnerability.

The Sophos suite of solutions that we use immediately updated automatically to protect against this vulnerability, as it does with the numerous daily vulnerabilities that are detected worldwide by Sophos. These actions, along with system monitoring, keep our systems protected from all threats old and new.