Everyone is talking about the CVE-2021-44228 vulnerability recently found in the Log4j logging library, which was nicknamed Log4Shell because it allows an attacker to execute arbitrary code on a remote server if they can send it data that will appear inside log messages.
Well, everyone except us. We understand that you may be worried by our silence. In fact, we started an infrastructure review immediately when we heard about that vulnerability and, to our relief, found that none of the projects we use are using it at all, so it's not a concern for us.
The only project written in Java that we are using is Jenkins, and, luckily, in our setup, it's not using Log4j.
However, if you have other concerns about infrastructure security and you have ideas on how we can improve it, feel free to share your suggestions!