Statement on Apache Log4j CVE-2021-44228ServiceNow is aware of the Java logging library vulnerability disclosed on 2021 December 09 (CVE-2021-44228 Apache log4j). We have done a thorough investigation and can confirm that ServiceNow-hosted instances are not at risk to known exploits of this vulnerability. Nonetheless, to further protect against any potential associated risk, and as part of our general security hygiene and risk reduction practices, we are remediating these log4j library versions to protect against unknown exploits of the log4j library. ServiceNow is also providing guidance to customers wishing to accelerate the remediation of MID Server vulnerable log4j libraries ahead of the standard security patching cycle. Finally, with respect to our third-party vendors, we are proactively scanning our applications environments with updated signature packs and immediately acting on any applications identified at risk by means of patching, applying mitigating controls or configurations, or isolating affected devices.