I know that most of you will have already reached out to us directly regarding this, but here is our all encompassing update which has been agreed upon by the various higher level stakeholders. Also, please find attached the official TR response along with some steps to mitigate at Appliance level for those of you using an Appliance which allows for inbound connections from outside of your networks.
Following the discovery of a potential vulnerability in the Log4j logging framework this weekend, our technical teams have been working tirelessly to assess the risk profile of the HighQ platform as well as the infrastructure hosting it.
After a thorough evaluation, we are pleased to confirm that the main HighQ platform, including all modules and their associated microservices, are not impacted by this vulnerability. This has been validated by an extensive analysis of related log files which confirm that any malicious attempts to exploit this vulnerability have all been successfully blocked and that consequently there have been no breaches of any kind.
Our technical teams did identify a potential area of concern with the application that provides our SSO capability, but this has already been successfully remediated in a patch deployed over the weekend. Other precautionary updates have been made to other externally facing resources in order to mitigate any other areas of concern.
We also recognise that a number of our customers will also be concerned about the potential exposure of their HighQ Appliance applications that are hosted within their own networks. As such, we have put together the attached remediation advice for your IT teams to follow. We highly recommend that these steps are followed at the earliest possible opportunity. (Attachment: HighQ Appliance – Log4j Remediation Advice)
Thank you for your patience and understanding whilst our teams worked to investigate and remediate any potential risks. Our technical teams will continue to monitor the situation as it develops and advise if any further action needs to be taken. Please also find attached an additional response from the wider Thomson Reuters organization. (Attachment: Thomson Reuters Log4j response and remediation)