Log4j-core vulnerability: CVE-2021-44832
Incident Report for Mendix Technology B.V.
On Tuesday, December 28, a new log4j-core vulnerability, CVE-2021-44832, was disclosed. The severity of this new vulnerability is classified as Moderate, with a base CVSS score of 6.6.
After analysis, we have concluded this vulnerability can’t be exploited in the Mendix Runtime.

To prevent false positives from code scanners, we will update the log4j library (log4j-api, not log4j-core) used by the runtime and bundled with Mendix Studio Pro. Given everything mentioned above, we will do this in our regular release schedule.

We recommend our customers to check their projects and update the log4j-core library to the latest version, currently 2.17.1, as well if their project contains a log4j-core library below version 2.17.1.
Posted Dec 29, 2021 - 12:03 CET
This incident affects: Mendix Cloud V4 (Mendix Cloud V4 US-East, Mendix Cloud V4 EU, Mendix Cloud V4 Asia Pacific Northeast, Mendix Cloud V4 Free Tier EU, Mendix Cloud V4 UK, Mendix Cloud V4 IE, Mendix Cloud Dedicated EU-1, Mendix Cloud V4 US-West, Mendix Cloud V4 Australia, Mendix Cloud V4 Canada, Mendix Cloud V4 Singapore) and Mendix Cloud V3 (Mendix Cloud V3 US, Mendix Cloud V3 EU).