The problem exists in one component that is used by some Apache servers. Unless your app uses an Apache server, you have no exposure -- from what I've read.

"Application X does not in any way use the affected component which causes the security vulnerability."

>Hi,
>
>Today I receive an email from one of my customers which uses my ASP.NET application. This is the content of their email:
>

>In recent days, there have been multiple security advisories from Homeland Security (https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)  and considerable media 
>coverage of the Log4j vulnerability. This flaw, disclosed by Apache last week, allows attackers to 
>execute code remotely on a target computer, enabling the attacker to steal data, install malware or take 
>control of the target system.
>
>As a partner of Organization Name, we are requesting that you provide information related to the 
>information related to [insert application (s)]. Please advise the following:
>
>•	Any public statement your organization has made related to this vulnerability and/or
>•	Specify any updates required at this time to [insert application] to remediate exposure to the Log4j vulnerability 
>•	Notify Organization Name immediately of any change in status in the coming weeks related to further updates needed
>

>
>Of course, I am not going to make any public statement.
>
>But it is not clear if my application has an exposure to the Log4j (which I know nothing about) or
>this is just a generic email they sent to all vendors?
>
>What do you think?