Request A Demo
Back to All Blog Articles

What is the impact of Log4j vulnerability (CVE-2021-44228) on FlexDeploy?

A high severity vulnerability (CVE-2021-44228, CVSSv3 10.0) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. This vulnerability, discovered by Chen Zhaojun of Alibaba Cloud Security Team, impacts Apache Log4j 2 versions 2.0 to 2.14.1. According to the developer, version 1.x of Log4j is not susceptible to this vulnerability. The vulnerability allows for unauthenticated remote code execution.

As per Apache Log4j, all log4j-core versions >=2.0-beta9 and <=2.14.1 are affected.

Here’s what you need to know:

  • FlexDeploy is not susceptible to this vulnerability. The FlexDeploy application (Tomcat and WebLogic) and its plugins do not include any log4j-core jar files.
  • The FlexDeploy Tomcat distribution does not include log4j-core jar files.
  • A few customers use Oracle WebLogic as the application server for FlexDeploy. Oracle Support has indicated that the Oracle WebLogic Server does not require patching for this vulnerability.
  • While not required for FlexDeploy, it appears that the upgrade of Java to 8u191 or higher helps mitigate this situation.
  • Customers are advised to look into any custom developed plugins, scripts and other products that are used in conjunction with FlexDeploy for this vulnerability.

This has been documented on our support FAQ as well.

Other useful resources:

Related Resources

Webinar Recap: Simplify and Enable DevOps for Oracle Fusion Cloud Applications 

In the realm of Oracle Fusion Applications, encompassing ERP, HCM, SCM, CX Sales and CX Service, the management of configurations ...
Forrester Wave ISDP 2023

Flexagon recognized in the Forrester Wave ISDP

Flexagon Recognized in the Forrester Wave: Integrated Software Delivery Platforms, Q2 2023 We are delighted to share that Flexagon has ...

Deploy Einstein GPT Generated Components with FlexDeploy

The TrailblazerDX Main Keynote was a highly anticipated event, and it did not disappoint. The biggest news coming out of ...

Join DevOps leaders across the globe who receive analysis, tips, and trends in their inbox