<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3260841&amp;fmt=gif">

Log4j Remote Code Execution Vulnerability (CVE-2021-44228) Dec. 2021

Critical vulnerabilities in the Java logging library Log4j

Valeria Di Dato

Security gap

On December 9, security researchers had drawn attention to a critical vulnerability in the Java logging library Log4j. Apache Log4j is a Java-based framework for logging application messages that is used by countless companies worldwide.


The risk of this security gap must be minimized as quickly as possible.

What does ajila do?

  • After the vulnerability became known, ajila immediately initiated appropriate security measures.
  • We have already patched all components on the ajila Forms Hub.
  • Our project teams are in contact with their technical contacts for applications developed by ajila and operated by them.
As far as we know at the moment, our products Digital Deals and Blink are not affected by the vulnerability. This affects our own developments as well as the version of Adobe Experience Manager Forms (OSGi Stack) that we use. The ajila Spotter is also not affected by the vulnerability.
Update December 20, 2021:
On 12/18/21 it became known that log4j contains yet another vulnerability classified as "high" https://logging.apache.org/log4j/2.x/security.html. This has been fixed in the current release 2.17. None of the ajila cloud services are affected by this vulnerability.
Otherwise, the same recommendations as published in this article apply. However, it is important to understand that release 2.16 and earlier 2.x releases still have vulnerabilities depending on the type of deployment and therefore ajila recommends to use only the current security release (at the current time this is v2.17).
Update December 17, 2021:
According to the latest information from OpenText, we can confirm that Adformio is not affected by the vulnerability. 
 Adobe Experience Manager Forms Details
According to the following Adobe advisory, the following products are affected by the vulnerability:
  • Experience Manager 6.5 Forms on JEE (all versions from 6.5 GA to 6.5.11)
  • Experience Manager 6.4 Forms on JEE (all versions from 6.4 GA to 6.4.8)
  • Experience Manager 6.3 Forms on JEE (all versions from 6.3 GA to 6.3.3)
  • Experience Manager 6.5 Forms Designer
  • Experience Manager 6.4 Forms Designer
  • Automated Forms Conversion Service
The following products are NOT affected:
  • Experience Manager Forms Workbench (all versions)
  • Experience Manager Forms on OSGi (all versions)
Details to OpenText Exstream
According to the following notice from OpenText (support login required), the following products are affected by the vulnerability:
  • OTDS as of version 20.1.1
  • Exstream (Cloud-Native) 20.4 and 21.2
The following products are NOT affected:
  • Exstream 21.3 (Server Based)
  • Exstream to Version 16.6.x
  • StreamServe 5.6.x and all supported DP Live releases
  • All "Core Exstream" components like the designer and the engine (all versions)
  • All "Orchestration", "Command Center" and "Communications Server" versions
  • Empower
  • AFP tools

What do I have to do as a customer?

  • We recommend all customers to check their own and purchased applications for the Log4j vulnerability and to apply the appropriate security patches as soon as available.
  • For more information and support, please contact your ajila project team. 

Further information

We will continue to monitor the situation and update the article with new findings