Apache log4j investigation
Incident Report for FMX System
Resolved
This incident has been resolved.
Posted Feb 04, 2022 - 09:30 EST
Monitoring
FMX is completing an investigation to discover if any of the services we provide or third-party services we use are impacted by the Apache log4j vulnerability, log4shell.

We have verified that the data you’ve entered into the FMX application (.gofmx.com) is not impacted by log4shell.

We do use a third-party service to provide our reporting dashboards. Like many services, they are impacted by log4shell. However, the part of this service impacted by the vulnerability is well guarded in the FMX infrastructure and is only accessible by FMX employees. Thus, we consider it highly unlikely for this vulnerability to ever have been exploited.

Some of the internal services we use to provide customer support, sales, and marketing services do contain organizational-level customer data and are impacted by the vulnerability. Many of our vendors have since mitigated the vulnerability and we expect the rest to do so very soon. We are continuing to monitor our vendors’ responses and if we become aware of any unauthorized access to this organizational-level data, we will notify any impacted customers without delay. Organizational-level data can include organization name and contact information, contract value, product-use data, meeting notes, customer support conversations, etc.

Updates will be posted to our status page as any additional information becomes available. Please reach out to support@gofmx.com with any questions.

For more information about log4shell please review CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and the Apache Log4j2 (https://logging.apache.org/log4j/2.x/security.html) post.
Posted Dec 14, 2021 - 17:08 EST
This incident affected: Web App, API, Email, Reporting Dashboards, and www.gofmx.com.