Datactics Platform components are not affected by the CVE-2021-44228 vulnerability in log4j. Datactics is not issuing any emergency updates and Datactics customers do not have to perform any mitigating actions on the platform at this time.
What you Need to Know:
On 10th December 2021 a critical vulnerability CVE-2021-44228 was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. This issue can lead to remote code execution or information disclosure on the system running software containing the log4j component. We have performed an extensive security audit of all our software components and can confirm that the Datactics platform is not impacted by this issue.
Datactics Security Audit Summary:
- Flow Designer:
- Data Quality Manager (DQM):
Not affected. Java components written by Datactics use the SL4J logging library which is not affected by this vulnerability. Additionally some open source Apache components, used in a limited number of DQM Toolset plug-ins, use versions of log4j not affected by the CVE-2021-44228/log4shell vulnerability:
|DQM Toolset/Item||3rd Party lib||log4j version|
|csv/FromExcel||Apache POI||log4j v1.2.17|
|csv/MergeCsvsToXls||Apache POI||log4j v1.2.17|
|csv/FromExcelXlsToXlsx||Apache POI||log4j v1.2.17|
|csv/FromRdf||Apache Jena||log4j v1.2.17|
Please note that these components may raise a false alert when scanning the platform for log4j dependencies, however the versions bundled are not impacted.
- Data Quality Clinic (DQC):
Not affected. Java components written by Datactics use the SL4J logging library which is not affected.
What else is Datactics Doing?
Datactics remains committed to the security and privacy of our customers and staff and was recertified under the NCSC (National Cyber Security Centre) Cyber Essentials Plus scheme on 13th Dec 2021.
We continue to monitor the situation with CVE-2021-44228 and log4j dependencies in Apache Jena and Apache POI and will issue a release of Data Quality Manager Toolsets after stable versions of Apache Jena and Apache POI using log4j 2.16.0 have been released.
If you have any questions about the exploit, need any additional help with identification or mitigation, or have any general concerns, please don’t hesitate to get in touch with us.
Please visit the following resources to learn more about Log4Shell: