On Tuesday, December 28, a new log4j-core vulnerability, CVE-2021-44832, was disclosed. The severity of this new vulnerability is classified as Moderate, with a base CVSS score of 6.6. After analysis, we have concluded this vulnerability can’t be exploited in the Mendix Runtime.
To prevent false positives from code scanners, we will update the log4j library (log4j-api, not log4j-core) used by the runtime and bundled with Mendix Studio Pro. Given everything mentioned above, we will do this in our regular release schedule.
We recommend our customers to check their projects and update the log4j-core library to the latest version, currently 2.17.1, as well if their project contains a log4j-core library below version 2.17.1.