What is Log4j?
Log4j is a framework to record user activity and the behavior of applications for subsequent review. Distributed free by the nonprofit Apache Software Foundation.
How does this impact Domino?
Domino is not affected by the log4j issue outlined as CVE-2021-44228. Domino has undergone a source code review, including a thorough third party integration and library review, to make this determination. In addition, Domino has tested our software for attack vectors to validate our findings. While Domino does utilize log4j, it is not a vulnerable version.
Domino does utilize a third party service, ElasticSearch, which ships with a library flagged to be potentially vulnerable (log4j v2.11.1). However, as configured and deployed, ElasticSearch is NOT vulnerable via utilization of Java Security Manager. More information from Elastic may be found here : https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
Optional Partner Integrations
Domino offers optional partner integration containers as outlined in our docs.
These integrations are not included by default in Domino, but rather are added by Domino administrators after setup and configuration. Your deployment of Domino may not include these integrations, please check with your Domino admin.
Please refer directly to the software vendors’ statements for risk & recommendations:
Domino continues to monitor this situation and will update customers as necessary.