The PayQuicker security team is aware of and responding to the Log4j2, also referred to as Log4Shell, vulnerability.
Apache Log4j is an open-source library that is utilized by Java applications to facilitate logging requests. On December 9, 2021, a critical vulnerability identified as CVE-2021-44228 was disclosed in the Apache Log4j Java logging library, affecting all Log4j versions prior to 2.15.0. Upon becoming aware of the initial vulnerability disclosure, the security team at PayQuicker began its review of any possible impact to customers and PayQuicker operations. Following is a summary of that activity and the resulting conclusions.
How is PayQuicker Responding?
PayQuicker knows customers and partners are concerned about the security of the PayQuicker products and of their data. The now-infamous zero-day vulnerabilities associated with the Apache log4j package (see CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) have rightly caused great concern. The widespread use of Java and Apache packages makes this a serious event with far-reaching implications for companies, their partners, and their customers.
PayQuicker has performed extensive due diligence on the issues associated with these vulnerabilities and continues to monitor the situation as it evolves.
Below is a summary of what you need to know and how PayQuicker has responded so far:
- First and foremost, this issue does not apply to PayQuicker products, as we do not use Java anywhere in our solution: not in development, and not in our deployment environment.
- This means there is nothing for PayQuicker customers to do, and customers can be assured that their accounts and data are secure.
- PayQuicker has verified there were no attack attempts on our products or corporate environments prior to our due diligence, and we have enhanced security for our network, endpoints, and products, adding these attack vectors to our already substantial protections.
- PayQuicker has evaluated all critical vendors and found no concerns.
- PayQuicker is in the process of verifying all third-party suppliers of software and services, finding no issues to date. We are nearly complete with this initial review.
- PayQuicker will continue to perform due diligence not only to manage this issue, but to manage all risks identified within our information security program.
PayQuicker will update this page with important developments and will send out specific communications to customers and partners as is deemed prudent or the future need arises.
What else do I need to know?
Though there are no PayQuicker-related actions needed for our customers, it is advised that businesses perform their own due diligence against their systems and vendors. Please refer to guidance from the Cybersecurity Infrastructure & Security Agency (CISA).