Chorus has identified a limited set of internal applications and resources that use the open-source Apache logging library, Log4j. 

The Log4j library is used in many Java applications by companies worldwide. The global vulnerability came to light on Thursday, 9 December.

Since Saturday, 11 December, Chorus has been working with suppliers and partners to upgrade or patch any system at risk or that could be impacted. The mitigations approach we've undertaken align with CERT NZ and vendor recommendations.

Retail service providers do not directly use any services from Chorus that would be receptive to the Log4j library vulnerability. However, some of Chorus' backend systems have functionality that could be at risk; software patching and updates are in process or completed for these systems.

CERT NZ publishes the most up to date information on the issue, and you can find their latest Log4j advisories here.