On Friday last week (2021-12-10), we were informed about a critical vulnerability in the Apache log4j library.
Most of the eccenca Corporate Memory components run in the Java VM, so it is important to ask if Corporate Memory is affected by this vulnerability.
The short answer to this question is no - eccenca Corporate Memory is NOT affected.
This is because all eccenca Corporate Memory components use logback, and not log4j, for logging.
However, typical eccenca Corporate Memory deployments involve other services which MAY BE AFFECTED, so we looked into these services as well:
- Keycloak is not affected, since they do not use the affected log4j 2 version.
- GraphDB is not affected, since no log4j-core lib is included and graphdb is using logback as well.
- Stardog IS AFFECTED and provided a security upgrade with the 7.8.1 release.
- Openlink informed us, that Virtuoso as well as Virtuoso JDBC drivers are not affected.
So in case your deployment is based on Stardog, you should update the deployment as soon as possible or mitigate the problem by adding -
Dlog4j2.formatMsgNoLookups=true to your
STARDOG_SERVER_JAVA_ARGS until you upgrade.