Security Notice - Log4J2 CVE-2021-44228

A vulnerability has been reported under the CVE-2021-44228 reference, affecting the Log4J2 (Log4J version 2) library, commonly used in applications for logging services.

To summarize:

  • CVE-2021-44228 impacts Log4J2 (Log4J version 2) until version 2.15, which is not used by any version of Semarchy xDM.
  • The logging in Semarchy xDM was upgraded from Log4J1 to Log4J2 as part of the 5.3.9 release (January 2022). The Log4J2 version (2.17.1) shipped with xDM 5.3.9 and above is not vulnerable to CVE-2021-44228.
  • The Log4J2 version (2.17.1) shipped with xDM 5.3.9 and above is not vulnerable either to other CVEs reported after CVE-2021-44228 and affecting earlier versions of Log4J2.
  • xDM prior to version 5.3.9 uses Log4J1 (Log4J version 1) which is not vulnerable to CVE-2021-44228 attacks as described in the CVE.
  • Log4J1 (one) has other reported vulnerabilities which can be easily identified and mitigated.

The attached Security Notice provides detailed information.

Do not hesitate to contact our support team if you have additional questions or need further clarifications.


pdf

2 people like this