The UK Financial Conduct Authority (FCA) today issued a notice regarding Log4Shell.
The regulator says it is aware of a remote code execution vulnerability (CVE-2021-44228) that is affecting multiple versions of the Apache Log4j 2 library.
The National Cyber Security Centre (NCSC) is aware that scanning for this vulnerability has been detected in the UK and exploitation detected elsewhere. The NCSC has published guidance for firms to help identify if they may be affected. It will be updated regularly by the NCSC where more information is available.
The FCA recommends that all firms using the Apache Log4j 2 library review the NCSC guidance to ensure the safety of their firm’s systems. Please note any operational impacts associated with this issue should be escalated via normal supervisory reporting processes.
Among the firms that have confirmed that they are monitoring the issue is TP ICAP. On December 14, 2021, the interdealer broker posted a notice stating that there is no evidence that this vulnerability has been exploited successfully against TP ICAP.