The Internet has been full of reports about a critical security vulnerability in recent days. A security vulnerability has been discovered in a software package called log4j, which even the German BSI (Federal Office for IT Security) describes as a “critical threat situation” and declares a red alert level for it.
Is ChurchTools (software) affected?
No. The mentioned software package is not used by ChurchTools, because it is a completely different coding language. Thus, there is not and never was a security risk for our customers or their data.
Measures were nevertheless taken
ChurchTools as a company nevertheless uses internally Java-based services for operation, which use log4j as a dependency. We shut down these services as a precaution after we became aware of the vulnerability (this does not affect our customers!) and carefully checked all our services. We were unable to detect any abuse of this security vulnerability. In addition, these services are not accessible from the Internet, but are only available to ChurchTools employees (keyword: VPN).
IT security is very important to us and we are glad that we and our customers are not affected by this gap. The security of customer data is of great concern to us!