You may already be aware of the security vulnerability present in Apache Log4j releases from version 2.0-beta9 to 2.14.1, designated as CVE-2021-44228. We have had a number of customers asking if their use of DeltaXML software products results in exposure to this vulnerability and this blog post constitutes our ‘official’ response.
We have not consciously made use of Apache Log4j in any of our products as we use alternative logging mechanisms. Nevertheless, we have searched our entire codebase for references to Log4j and, aside from a couple of internal projects where Log4j has now been updated, we can confirm that it is not present in our released products.
We have also searched for references in build files and dependencies and again, we are confident that none of our products are affected by the vulnerability in that respect.
While using DeltaXML products will not expose you to this vulnerability, we would recommend that you thoroughly review any code your organisation has written to integrate DeltaXML for references to Log4j and that you take any necessary measures as advised by the agencies listed below.
Apache Log4j Security: https://logging.apache.org/log4j/2.x/security.html
US government National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
UK government National Cyber Security Centre: https://www.ncsc.gov.uk/news/apache-log4j-vulnerability