Apache Log4j library security vulnerability and M-Files
Version 6
Last updated: 21/12/2021, 14:00 AM EET
Dear Customer,
We wish to inform you that in response to the published vulnerabilities on Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) M-Files Security team has performed a rigorous review to identify any potential exposure and risks arising from the vulnerability.
M-Files core product relies on programming languages other than Java, and thus we have not as of now identified use of vulnerable log4j library within M-Files Server / Desktop / Classic Web / VNEXT / Mobile services.
For Smart Search, IDOL and other services, we have updated all components that have come to our attention where the risk of exposure to the vulnerability could not be ruled out.
For Hubshare Cloud product we have performed all critical updates for components that have come to our attention where the risk of exposure to the vulnerability could not be ruled out. For Hubshare on-premises installations a patch 3.3.4.6 has been released. M-Files Security team shall continue investigations and we shall keep you informed should we have additional information to share.
Best regards,
M-Files Security
Change log:
Version 1 First notification
Version 2 Content on Hubshare added
Version 3 Content on Smart Search added
Version 4 Content on IDOL added
Version 5 Response updated over CVE-2021-45046
Version 6 Response updated over CVE-2021-45105 and reference to Hubshare patch added.