Monday 13th December 2021
This article was released in response to the recent CVE-2021-44228 (log4j) vulnerability.
No software produced by Gearset uses log4j. None of our software dependencies use log4j.
Since 11th of December 2021, Gearset has responded quickly to evaluate the impact of this vulnerability and have not been able to replicate any routes to exploitation from our own testing, and through testing from our external pen-testers.
Gearset is hosted in AWS data centers. We rely on AWS for Amazon MQ, RDS, and S3 services and are in communication with AWS to understand whether any of their services may be affected. AWS have posted a public facing statement detailing their response at https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
We will keep this document updated as and when more information is available.