Related
Recommended
Mark Edwards

As you are likely aware, late last week, Apache disclosed that the Log4j 2 utility contains a vulnerability that may be exploited for unauthenticated remote code execution. We are actively monitoring this issue and are working to patch any Thomson Reuters product that uses the vulnerable component Log4j 2.

Since the disclosure of the vulnerability, our internal cybersecurity experts have been working continuously to analyze our products and services to understand where the tool may be used and taking expedited steps to remediate any systems that may have a potential vulnerability. To date, our investigations continue to show that there is no evidence that Thomson Reuters systems have been negatively impacted. Thomson Reuters data and systems continue to be secured in accordance with industry standards.  

At this time, we can confirm that the vulnerability either does not exist or has been remediated in the vast majority of Thomson Reuters products.  Our investigation into the situation is ongoing, as are any further remedial actions that may be required.  As such, in an abundance of caution, our teams will be performing additional maintenance tasks throughout this coming weekend, beginning during the evening today, which may result in your platform being temporarily unavailable outside of normal deployment and maintenance windows, although we expect this to be overnight for the majority of regions in order to minimise disruption.

Our top priority is ensuring the integrity of our systems and the information that our customers rely on and this is purely a preventative measure to ensure that we continue to be unaffected by this evolving situation.  If Thomson Reuters becomes aware of unauthorized access to Customer Data, we will notify impacted customers as soon as reasonably possible. 

  •

    Yes, absolutely. As per the above, the plan is to keep up to date in subsequent maintenance releases. However, the current view is that there is no need for immediate action to do this due to other safeguards.

  •

    Mark Edwards so no plan to upgrade to 2.17 for the main platform?

  •

    Hi Mark - we are currently running Log4j 2.16.0 in our main platform applications and 2.17.0 in our Appliance. Our security teams are constantly monitoring the situation and will advise if anything needs to change in the short term. For now, I believe the plan is to ensure that we keep up to date in subsequent maintenance releases as a precaution but there is no need for immediate action at present.

  •

    Mark Edwards  Can you let us know what version of Log4j is currently installed, at least in the online service? My security team is asking about this, given that Apache has needed to issue 3 patches. If there is another maintenance patch to be released, can you provide details on when and what version will be installed. Thank you!

  •

    It certainly seems to be the 'gift' that keeps on giving... Thanks for highlighting Andrew - our teams are already on it will follow up as soon as possible to advise our next steps.