On Tuesday, December 14, a new CVE (CVE-2021-45046) was published, indicating that contrary to earlier reports, log4j-core version 2.15 is still vulnerable to the zero-day exploit, shared on Friday, December 10. The bug, tracked as CVE-2021-44228 and dubbed Log4Shell, might allow an attacker to run any arbitrary code through the Log4j Java library used for logging. For more in depth information on this vulnerability, see the Security page of the Apache Logging Services website.
As stated before, the Mendix runtime itself is not vulnerable to this exploit. We nevertheless continue to strongly urge customers to upgrade log4j-core to the latest version (currently 2.16.0) in case log4j-core is part of your project. This is regardless of the JRE/JDK version the app runs on.
The following only applies to customers who deploy to their own private Cloud Foundry cluster. This has no impact on the Public Cloud:
The Studio Pro distribution contains a utility called `mx-cf-client`. `mx-cf-client` gives the possibility to deploy a Mendix application to Cloud Foundry using Studio Pro. `mx-cf-client` contains a vulnerable `log4j-core` library, the only scenario this could be exploited is when the applicable Cloud Foundry server is untrusted or hacked.
`mx-cf-client` is only used for Cloud Foundry installations for private cloud and not used to deploy to the Mendix public cloud.
To remediate this vulnerability, we are working on the patch release of Mx7.23.27, Mx8.18.14 and Mx9.6.4, these versions will be released in the coming days. Upgrading your applications to one of these versions, or a later one, will remove this vulnerability. The patch for this vulnerability is included in our monthly release starting Mx9.9.0.
For any additional questions, please contact support.
We will continue to keep you updated on our efforts to investigate the impact of this vulnerability on our platform, and our efforts to mitigate them.