Paid with GoCardless? Read our FAQ for customers
As you may have seen in the news, several new vulnerabilities were reported against Log4J (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). Log4J is a Java-based logging utility that is used for software development. We advise merchants using the gocardless-pro-java API client to use SLF4J. The authors of SLF4J have now confirmed that the library is not vulnerable. You can find more information about this here (https://www.slf4j.org/log4shell.html )
Log4J is a popular library and, like most organisations, we do have references to Log4J across our estate. It is also used by some of our approved vendors and we have applied their patches or mitigations. We have mitigated the risk in our own applications by removing the relevant functionality where applicable and have confirmed no other internal applications are affected. Our investigations have found no evidence of successful exploitation of these vulnerabilities.
Help & resources
GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.
GoCardless SAS, an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.