Shorthand is not affected by CVE-2021-44228 (a significant security flaw in a commonly used Java logging library).
We do not use Log4j in any of our systems.
We also have very limited usage of Java, with none in use in our core application stack. Where we do utilise Java tooling, it is not public web-facing and it is not using Log4j.
We have additional measures already implemented in our systems that block methods of exploitation of this and other CVEs enabled on any public-facing web services. We also have automatic patch scanning, intrusion detection and other security alerts and measures in place to manage similar vulnerabilities.
