Update on Apache Log4j

We understand many people are concerned about the widely-reported Apache Log4J vulnerability, and we wanted to assure you that our investigation has found no exposure for any of our customers or systems.

On Thursday, December 9, 2021, we were made aware of the vulnerability in the Apache Log4j library (CVE-2021-44228).  We immediately began investigating any potential impact to Brex systems and partner systems. After a thorough review, we found no exposure to any of our customers or systems.  In addition, we have implemented all available patches and other controls to prevent similar recurring issues. Please contact security@brex.com if you have any questions or concerns.

Keeping our customers’ data secure is our top priority. If you identify any potential vulnerability to the Brex platform, please disclose it to us via our Responsible Disclosures form.