Impact of the Log4j vulnerability CVE-2021-44228

Background

Log4j is an open source logging library for Java developed by the Apache Foundation, which is widely used in server infrastructure, applications and digital services.

Log4j versions before 2.15.0 have a critical security vulnerability (CVE-2021-44228) allowing remote code execution.

Desktop apps

None of our desktop software on Mac or Windows uses Java or Log4j, so is not affected by CVE-2021-44228.

OnDemand cloud app

None of our cloud software uses Java or Log4j, so is not affected by CVE-2021-44228.

Note: OnDemand runs on Microsoft Azure and Microsoft are still investigating impact. Microsoft have documented a small number of Azure services that use Log4j, but OnDemand doesn’t use any of those services. Microsoft may discover other uses of Log4j on Azure as they continue investigating.

Microsoft’s Response to CVE-2021-44228

Infrastructure

None of our core infrastructure uses Java or Log4j, so is not affected by CVE-2021-44228.

Other services

Assessment of Log4j use by third party suppliers for services like accounting is ongoing.

Note: This information was correct at the time of publication, but this is still an evolving situation, and this page will be updated as new information becomes available.

Applies to: All products

Last reviewed: Dec 16, 2021