The widely-used java logging library, log4j, has an unauthenticated RCE vulnerability that is being actively exploited in the wild.
As of the time of publication of this advisory, Catalyst is not aware of any of its systems, or of any systems we host or manage for our clients, as having been compromised.
We have prioritised client systems according to their criticality and risk, and are patching them to mitigate the potential for the exploit.
Please be aware that systems behind WAFs (Web Application Firewalls), like those provided by Cloudflare and Fastly, are also implementing mitigations.
More information about the vulnerability, and mitigations, is on the CERTNZ website: