Our Cyber Security team has alerted us to a zero day vulnerability in Log4j, and I’ve looked into whether or not our Cloverleaf interface engine is affected by this vulnerability. It turns out we are on a version of CL that uses Log4j version 1.2.17 and thus appear to not be affected, as only versions >=2.0-beta9 and <=2.14 are listed in the exploit published on github.
However, the GitHub page did post the following statement about previous versions of Log4j, which seems a little concerning.
The version of 1.x have other vulnerabilities, we recommend that you update the latest version (of Log4j).
Are there any other organizations out there that have been looking at this issue and can share there comments? Does Infor have any comments they can share?
Thanks,
Don