Enonic XP is not affected by Log4j Zero day vulnerability

tsi · December 10, 2021, 3:44pm

Security update:

The popular Java Logging utility Log4J2 contains a severe vulnerability, enabling remote code execution: Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

Enonic XP does not use log4j - and is as such not affected by this vulnerabiliy.
If you have for some reason bundled Log4j in your application, you might be at risk, and should consider mitigation steps. The affected versjons of log4j are 2.0-2.14

tsi · December 13, 2021, 10:20am

An update related to Elasticsearch vulnerability and bundling with Enonic XP.
Elasticsearch reportedly contains the vulnerable library, does this somehow affect Enonic?

No. The version of ES bundled with Enonic XP uses Log4J v1.2.17 - which is not affected.