As you are likely aware, late last week, Apache disclosed that the Log4j 2 utility contains a vulnerability that may be exploited for unauthenticated remote code execution. We are actively monitoring this issue and are working to patch any Thomson Reuters product that uses the vulnerable component Log4j 2.

Since the disclosure of the vulnerability, our internal cybersecurity experts have been working continuously to analyze our products and services to understand where the tool may be used and taking expedited steps to remediate any systems that may have a potential vulnerability. To date, our investigations continue to show that there is no evidence that Thomson Reuters systems have been negatively impacted. Thomson Reuters data and systems continue to be secured in accordance with industry standards.  

At this time, we can confirm that the vulnerability either does not exist or has been remediated in the vast majority of Thomson Reuters products.  Our investigation into the situation is ongoing, as are any further remedial actions that may be required.  As such, in an abundance of caution, our teams will be performing additional maintenance tasks throughout this coming weekend, beginning during the evening today, which may result in your platform being temporarily unavailable outside of normal deployment and maintenance windows, although we expect this to be overnight for the majority of regions in order to minimise disruption.

Our top priority is ensuring the integrity of our systems and the information that our customers rely on and this is purely a preventative measure to ensure that we continue to be unaffected by this evolving situation.  If Thomson Reuters becomes aware of unauthorized access to Customer Data, we will notify impacted customers as soon as reasonably possible.