We have released Mendix 8.18.16 and 9.6.7, which include version 2.17.1 of the log4j library, mitigating CVE-2021-44832. With that, we have released fixes for all supported releases.
As always, Mendix recommends updating to the latest Studio Pro version, especially if your are using the Run on Cloud Foundry feature to deploy your app directly to Cloud Foundry from the Modeler/Studio Pro.
Posted Mar 24, 2022 - 11:02 CET
Monitoring
We have released Mendix 9.10.0 and 9.6.7, which include version 2.17.1 of the log4j library, mitigating CVE-2021-44832.
We will also release patches including this library version for Mendix 8.18 and 7.23. We will inform you when this is done.
Posted Feb 07, 2022 - 15:27 CET
Identified
On Tuesday, December 28, a new log4j-core vulnerability, CVE-2021-44832, was disclosed. The severity of this new vulnerability is classified as Moderate, with a base CVSS score of 6.6. After analysis, we have concluded this vulnerability can’t be exploited in the Mendix Runtime.
To prevent false positives from code scanners, we will update the log4j library (log4j-api, not log4j-core) used by the runtime and bundled with Mendix Studio Pro. Given everything mentioned above, we will do this in our regular release schedule.
We recommend our customers to check their projects and update the log4j-core library to the latest version, currently 2.17.1, as well if their project contains a log4j-core library below version 2.17.1.
Posted Dec 29, 2021 - 12:03 CET
This incident affected: Mendix Cloud (Mendix Cloud US-East, Mendix Cloud EU (Frankfurt), Mendix Cloud Asia Pacific (Tokyo), Mendix Cloud Free Tier EU, Mendix Cloud UK, Mendix Cloud IE, Mendix Cloud US-West, Mendix Cloud Asia Pacific (Sydney), Mendix Cloud Canada (Central), Mendix Cloud Asia Pacific (Singapore)) and Mendix Cloud Dedicated (Mendix Cloud Dedicated EU).