Apache Log4j Remote Code Execution Vulnerability

December 17, 2021

*This is an update to the December 13, 2021 and December 15, 2021 post regarding the same topic.

ADP is aware of the following Apache Log4j Remote Code Execution Vulnerabilities:

• CVE-2021-44228
• CVE-2021-4104
• CVE-2021-45046

Upon receiving reports regarding these vulnerabilities, ADP’s Global Security Organization began an investigation and is actively working to identify any potential impacts to our system and prioritizing any necessary patching. At this time, ADP has determined that none of its systems have been compromised and no intrusion has occurred. ADP’s layered defense includes technologies and controls to identify and/or prevent these types of threats, including assessing vulnerabilities and applying appropriate protection and detection control updates.

ADP’s Global Security Organization continues to actively monitor and respond to this developing situation as it does with all reported vulnerabilities. Clients are encouraged to visit ADP’s website at www.adp.com/trust to learn more about how ADP protects data, and how clients can help protect themselves.

Protecting our clients and their data from malicious activity is a top priority for ADP.