Frequently asked questions

Paid with GoCardless? Read our FAQ for customers

Log4J

GoCardless update on Log4J’s reported vulnerability

As you may have seen in the news, several new vulnerabilities were reported against Log4J (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). Log4J is a Java-based logging utility that is used for software development. We advise merchants using the gocardless-pro-java API client to use SLF4J. The authors of SLF4J have now confirmed that the library is not vulnerable. You can find more information about this here  (https://www.slf4j.org/log4shell.html )

Have GoCardless services been impacted by this vulnerability?

Log4J is a popular library and, like most organisations, we do have references to Log4J across our estate. It is also used by some of our approved vendors and we have applied their patches or mitigations. We have mitigated the risk in our own applications by removing the relevant functionality where applicable and have confirmed no other internal applications are affected. Our investigations have found no evidence of successful exploitation of these vulnerabilities. 


GoCardless Ltd., Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom

GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.

GoCardless SAS, WeWork - 7 rue de Madrid, Paris, 75008, France

GoCardless SAS, an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.