• Vulnerability of LOG4J v2.0.0 -v2.14.1 CVE-2021-44228

    12/21/2021 Update 2 - 15.0.0.0005.00 is now available for v15 BAR for Apache Log4j 2 library updated to 2.17.0

    12/21/21 Update - Added link to Apache logging resource

    12/16/2021 Update - 15.0.0.0004.00 is now available for v15 BAR for Apache Log4j 2 library updated to 2.16.0 

    12/14/2021 Update 2 - Patch is now available for v15 BAR as patch 15.0.0.0003

    12/14/2021 Update - Initial post

     

    Standard BizFlow modules are not affected by the log4j2 vulnerability.  BizFlow is not using the affected versions in our core modules.

    For Customers using BizFlow version 15 running BizFlow Advanced Reporting (BAR) we have confirmed it is using log4j2, for which we have provided a patch.  This patch is available on our download server (http://download.bizflow.com) as patch 15.0.0.0003.  

     

    This article describes the vulnerabilities by version and the mitigation:

    https://logging.apache.org/log4j/2.x/security.html

    The article states "Log4j 1.x is not impacted by this vulnerability" for items listed under Fixed in
    Log4j 2.17.0 (Java 8)
    Log4j 2.16.0 (Java 8)
    Log4j 2.15.0 (Java 8)
    Log4j 2.12.2 (Java 7)

    Note: BizFlow modules use Log4j 1.x for BizFlow 12 to 15, excluding v15 BAR (as noted at top), and therefore are not impacted.

    We will update this article as needed with additional information.  Click 'Follow' to receive updates.  Regards.

     

    Bob Kepler

    Director, Customer Support