A vulnerability has been reported under the CVE-2021-44228 reference, affecting the Log4J2 (Log4J version 2) library, commonly used in applications for logging services.

To summarize:

  • CVE-2021-44228 impacts Log4J2 (Log4J version 2), which is not used in Semarchy xDM.
    xDM instances use Log4J1 (Log4J version 1) which is not vulnerable to CVE-2021-44228 attacks as described in the CVE.
  • Log4J1 (one) has other reported vulnerabilities which can be easily identified and mitigated.
  • Upgrading the Log4J1 library used in xDM is a "technical debt" tracked as MDM-10824. We have in our plans to perform that upgrade as part of our next minor release (5.4).

The attached Security Notice provides detailed information.

Do not hesitate to contact our support team if you have additional questions or need further clarifications.