A security vulnerability has been recently discovered in Apache Log4j (version 2), allowing an attacker to "execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled":
Data Virtuality is NOT affected by this remote code injection vulnerability.
Even though Data Virtuality uses one of the affected versions of Log4j, the affected Log4j libraries (i.e. log4j-core) are not included in Data Virtuality.
In particular, Data Virtuality uses a separate log manager which doesn't include the JNDI Lookup functionalities and uses only some of the Log4j APIs which are not affected by CVE-2021-44228.
If you have any questions or doubts, please feel free to contact our Support Team.
Please sign in to leave a comment.