On December 9, 2021, a vulnerability in Apache Log4j was identified that affected a large number of Java server applications. We have been diligently evaluating ZFlow’s dependencies and how they may affect ZFlow and its operations. Our evaluation indicated that ZFlow and related packages do not have any dependency on the Log4j2 library and impacted Log4j2 libraries are not included in the distribution.
ZFlow does include Log4j 1.2.9+ in the distribution and that version of the Log4j is not impacted by CVE-2021-44228. We are also aware of the CVE-2021-4101 for Log4j 1.x, which exposes applications to a moderate vulnerability. We removed the JMSMessenger class from the log4j jar that is included in ZFlow distribution as a measure of caution.
The picture of risk and vulnerability is quickly evolving around Log4j. We are following the events and have been testing and qualifying ZFlow distribution with the latest Log4j2 (currently 2.1.17) library. While ZFlow itself does not use Log4j for logging we know that it is distributed widely as part of Tomcat and other java libraries.