Apache Log4j Vulnerability

Background

The Apache Log4j 2 utility is a commonly used component for logging requests across global technology infrastructure and applications. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code.

Since that time, technology companies globally have been assessing the vulnerability, its implications broadly and for their systems, and taking appropriate mitigation actions.

Impact for Aphex

Since Dec 10th we have been assessing our systems in order to ensure that both our systems and our customer or user data remains secure.

Aphex Systems

Our first priority was to assess our core application and infrastructure (the things our customers would know as Aphex).

We can confirm that Aphex application and infrastructure does not use Apache technology and therefore also does not use the Log4j library.

Subprocessor Systems

Our second priority was to assess all of our subprocessors to understand their exposure and evaluate their responses on a risk basis. As as a part of the SaaS ecosystem using best in class and market leading subprocessors, we expected at the outset that some would be using the common Apache technology, either directly or indirectly in their subprocessors.

We believe there to be no risk to customer data associated with the Log4j vulnerability.

To provide complete transparency, we have listed those subprocessors reporting direct or indirect exposure and their responses and actions below. A reminder that our full subprocessors list is maintained here.

Affected Subprocessor List

‍

What next?

No action is needed from our users or customers. We will continue to monitor the actions of our subprocessors and provide updates if anything changes.