Here's a summary of how CVE-2021-44228 relates to our products:
- Cloud service: our cloud service is running a version of Java greater than 11.0.1 and, we believe, is therefore not affected by the vulnerability. We have seen no evidence of data being compromised from the cloud service on inspection of the logs.
- On-premises installation: our on-premises installation uses an earlier version of the log4j library, which isn't affected by the vulnerability.
- Lite: our Structurizr Lite product uses an earlier version of the log4j library, which isn't affected by the vulnerability.
Irrespective of this, we released new versions of the above products over the weekend of 11th/12th December that included the patched version of the log4j library (v2.15.0), to protect from further undiscovered vulnerabilities. A further release of the above products was made on 14th December with log4j v2.16.0 to protect against CVE-2021-45046, 18th December with log4j v2.17.0 to protect against CVE-2021-45105, and 29th December with log4j v2.17.1 to protect against CVE-2021-44832.