Impact of the Log4j vulnerability CVE-2021-44228
Log4j is an open source logging library for Java developed by the Apache Foundation, which is widely used in server infrastructure, applications and digital services.
Log4j versions before 2.15.0 have a critical security vulnerability (CVE-2021-44228) allowing remote code execution.
None of our desktop software on Mac or Windows uses Java or Log4j, so is not affected by CVE-2021-44228.
OnDemand cloud app
None of our cloud software uses Java or Log4j, so is not affected by CVE-2021-44228.
Note: OnDemand runs on Microsoft Azure and Microsoft are still investigating impact. Microsoft have documented a small number of Azure services that use Log4j, but OnDemand doesn't use any of those services. Microsoft may discover other uses of Log4j on Azure as they continue investigating.
Microsoft’s Response to CVE-2021-44228
None of our core infrastructure uses Java or Log4j, so is not affected by CVE-2021-44228.
Assessment of Log4j use by third party suppliers for services like accounting is ongoing.
Note: This information was correct at the time of publication, but this is still an evolving situation, and this page will be updated as new information becomes available.
Applies to: All products
Last reviewed: Dec 16, 2021