How can we help?

As previously communicated on Dec 20, 2021, the situation of new Log4j vulnerabilities being discovered was developing fast and fluid. Contour continuously monitor and assess the new developments, apply industry recommended remediations to address the vulnerabilities impacting Contour application.

With the situation stabilized, no new vulnerabilities of Log4j reported last week, and the latest Log4j version 2.17.0 comes with the remediations for the known vulnerabilities. Contour will be releasing new patches for all supported versions of Contour, with reference to the release schedule below.

Once the patch is ready, please contact us via our support portal to request the latest package and upgrade your Contour nodes as soon as possible.

Patch Release Schedule

Notes:
* For Contour 6.1 and 7.0, the web application is patched with Log4j 2.17.0, and Corda Enterprise with Log4j 2.16.0. R3 has confirmed the vulnerability addressed by Log4j 2.17.0 already has effective countermeasure in Corda, with reference to R3 Update December 21 2021.

** For Contour 6.0, the web application is patched with Log4j 2.17.0, and Corda Enterprise (CE) with Log4j 2.13.0 (vulnerable). R3 has confirmed NO patching will be made available for CE4.1 used in Contour 6.0. Therefore, recommend members to upgrade to Contour 7.0 as soon as possible.

Further Work
We will continue to conduct regular security and penetration tests by our CREST accredited tester (our last test was conducted in October) as well as continually review our security scans and industry reports for other possible incidents.

Information security and transparency are top priorities for Contour which is why we are targeting our final ISO27001 audit in the coming months together with the development of increased security and network monitoring features. If you have any further questions please raise a request via our support portal.