Funraise for the does not use log4j for any of its native application code. Funraise identified one area of log4j use in a 3rd party component that we use for search engine functionality (ElasticSearch) that is hosted separately from the Funraise Platform core infrastructure. Funraise applied the appropriate initial patches and mitigation strategies on Dec 13 and continues to monitor the situation as new recommendations and patches are released and has found no evidence of exploit or attempted exploit in our application logs.
Log4j was also identified in a 3rd party component powering our BI functionality. This functionality is also hosted separately from the Funraise core infrastructure and presents lowered risk of RCE. The vendor for that component patched and updated their infrastructure on Dec 16.
Funraise continues to maintain a proactive security posture and undergoes annual analysis of our codebase and infrastructure by an independent security firm.