On Friday, December 10, 2021, a critical vulnerability (CVE-2021-44228) was made public that potentially affects all Java-based systems using the Java Log4j library from version 2.0-beta9 to 2.14.2.
Regarding how this vulnerability affects us on Modyo platforms, we can comment the following:
- The vulnerability affects only Java-based systems, so it does not directly affect the platform.
- Older versions of Modyo 7, which rely on the JBoss server, use Log4j version 1.2, which is not affected by the incident.
- Modyo 8 versions running on JRuby (Enterprise On Premise) do not use Log4j.
- Modyo Connect developments, based on SpringBoot, use by default the standard Spring log library, which is based on Log4j 1.2, which is not affected by the incident.
Regardless of the above, we continue to monitor our systems for any impact that the incident could have on the rest of the internal platforms that are used as part of the development process.
For customers and partners developing their own SpringBoot based microservices, the recommendation is to ensure that an alternative log library is not being used. In case this is the case, it is recommended to make sure you have the patched version of Log4j >= 2.15.0.