[Followup] Data Virtuality is not affected by the Apache Log4j security vulnerability (CVE-2021-44228)

After that the Apache Log4j security vulnerability (CVE-2021-44228) was published on December, 10th 2021, other related issues have been discovered and published as well, in particular:

• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-45105
• CVE-2021-4104

Following up on our original post related to CVE-2021-44228, we want to reassure again our users that the Data Virtuality Platform is NOT affected by the vulnerabilities listed above.

As mentioned in the previous post, the affected Log4j libraries (i.e. log4j-core) and functionalities (i.e. JNDI Lookup) are not included in the Data Virtuality Platform since a separate log manager is used.

As reported in CVE-2021-4104, there is also a possibility that 1.2.x versions of Log4j might be affected by this vulnerability but only if the JNDI functionalities are used. In such a case the impact is considered moderate or medium.
Older versions of Data Virtuality Server as well as Data Virtuality Studio use Log4j 1.2.x but, also in this case, Data Virtuality is not open to this vulnerability since it does not use any JNDI mechanism provided by Log4j.

The protection of the privacy and the security of our customers is very important for us and we take all the needed actions to prevent any risks.

The next minor release of the Data Virtuality Platform is planned for the beginning of January 2022 and it will also include the latest version of Log4j libraries.

In case of any questions, please do not hesitate to contact our Support Team.