There is a vulnerability in the Log4j java stack ( Log4j Zero Day Flaw | CVE 2021-44228 ).
I discovered that OutSystems does leverage Log4j based on information provided here: Change OutSystems Platform logging levels though the implementation details of Log4j are not present to self-determine the exposure risk.
I also see that this exploit relies on servers running Apache and there are certain apache frameworks leveraged for OutSystems Service Center Plugins.
What impact will this have on the OutSystems platform and are there current plans to fix this vulnerability if one exists?
UPDATE: in contrary what was communicated to me previously there will be an official statement from OutSystems.
In the meantime this is what OutSystems support replies to me:
For V10 and V11 on Microsoft stack in the cloud:
For V10 and older on Javas tack:
@Daniƫl Kuhlmann thank you for your quick response and detail. Much appreciated.
You are welcome.
Hi,
I had yesterday contact with the OutSystems CSIRT team and they confirmed that OutSystems is not effected by this nor do they use the software in OutSystems 11.
Same for the AWS services used by OutSystems to host their platform.
I will ask OutSystems for clarification regarding the documentation you shared, which relates to the Java Stack that is I believe no longer officially supported by OutSystems.
I have forwarded your findings to the CSIRT team, and will share a reply from them here in this discussion as soon as it arrives.
Regards,
Daniel
And here the official statement
https://www.outsystems.com/forums/discussion/75105/log4j-vulnerability-on-outsystems/