Product Updates

Log4j vulnerability fixed (Updated)


[UPDATE #3] Log4j v2.17 too did not fully solve the problem. They have released another patch (v2.17.1). We have updated our cloud service as well as our on-premise versions v12, v13.5, and v14 to use this updated Log4j version.

On-premise customers who recently upgraded should download our software again and upgrade as soon as possible.


[UPDATE #2] Log4j v2.16 did not fully solve the problem. They have released another patch (v2.17). We have updated our cloud service as well as our on-premise versions v12, v13.5, and v14 to use this updated Log4j version.

On-premise customers who recently upgraded should download our software again and upgrade as soon as possible.


[UPDATE #1] The earlier vulnerability was not fixed completed in the Log4j library and they released another patch (v2.16) a few hours ago. We have updated our cloud service as well as our on-premise versions v12, v13.5, and v14 to use this updated Log4j version.

On-premise customers who recently upgraded should download our software again and upgrade as soon as possible.


Various security news outlets reported on the discovery of vulnerability CVE-2021-44228 in the Apache Log4j java library. This vulnerability has been marked as critical with a CVSS severity level of 10 out of 10.

The fix is to upgrade to the latest version of Log4j which fixes this vulnerability.

Celoxis uses the Log4J v2 library and the following Celoxis versions have been fixed and available for download: v12, v13.5, and v14. Please contact support on how to get the latest version.

For customers using v11 or earlier, they don't need to do anything since we use the Log4J v1 version of the library. Although a security vulnerability has been reported for this version of Log4j too, it is only exploitable if the software uses its JMSAppender functionality which we don't. 

- The Celoxis Team


Was this article helpful?
1 out of 1 found this helpful
Return to top

Comments 2

  • Avatar
    Julie Nielsen-Neas

    Please clarify: 

    Vulnerable version: All versions of Log4j versions >= 2.0-beta9 and <= 2.14.1  and the fix is Upgrade to Log4j version 2.15. 

    Please clarify the version of Log4j in use; the note above appears to indicate the Celoxis SaaS application is still using Log4j v2.x

    Thank you

     

     

    0
    Comment actions Permalink
  • Avatar
    Nikhil G. Daddikar

    We use Log4j 2.15. The versions mentioned in the article are Celoxis versions. 

    0
    Comment actions Permalink