Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15

References

https://logging.apache.org/log4j/2.x/security.html
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.

The Sage 300 CRE Development Team has investigated this, and the Apache Log4J 2 library is NOT used in any versions of Sage 300 CRE.

For customers using Sage 300 CRE with Sage Service Operations or Sage Paperless, we have confirmed that these products are not affected by this vulnerability.

Aatrix, which we use for payroll e-filing, has published this statement that they are also not impacted (aatrix.com/log4j).

It is important to note that while Sage has confirmed as many of our integrated applications and services as possible, applications and services provided by independent software vendors may still have vulnerabilities. Customers should work with their reseller to ensure that their systems are secure.