Laurent Bel Answered 24 days ago 

Matthew, You do realize that log4j version 1 is no longer maintained since 2015 and also affected by a CVE scored 7,5 ? "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. [...] Users of Log4j 1 are recommended to upgrade to Apache Log4j 2." "Security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2." Source : https://logging.apache.org/log4j/1.2/ CVE : https://www.cvedetails.com/cve/CVE-2019-17571/ I'm not sure that relying on a version of log4j that is no longer since 2015 is a good thing from a security perspective. One question : What is the plan to upgrade to log4j 2.15.0+ ? 

Best, Laurent 


Matthew Dahlman

 VP, Customer Success at Semarchy Answered 24 days ago 

Hi all, I posted my "question" with an anti-clickbait headline containing the full spoiler. But I can also add some additional details to make things clearer. Vulnerability CVE-2021-44228 applies to Apache log4j2 versions 2.0 through 2.14.1. It has been a very big story over the past few days. Semarchy xDM uses log4j1 (often just called "log4j") rather than log4j2, so there are no versions of xDM that are affected by this vulnerability. We will of course continue to monitor the situation very closely and post updates as appropriate. 


François-Xavier Nicolas 

 Chief Product Officer at Semarchy Answered 22 days ago 

For a comprehensive and updated answer, see the following topic on the Semarchy forums: https://support.semarchy.com/en/support/discussions/topics/43000530098