OutSystems is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2" utility (CVE-2021-44228).

OutSystems Cloud deployments - outsystemsenterprise.com

OutSystems is not using Log4j2 within your OutSystems cloud environments and therefore you are not affected by this vulnerability within your workloads/pipelines.

On-Premises Deployments

.net deployment stacks 

The OutSystems platform on .NET Stack does not install or require Log4j2. However, your organization may have installed Log4j2 in the OutSystems platform servers for other reasons. Therefore, it is a best practice to scan the servers where the OutSystems platform is installed for deployments of Log4j2.

Java 010  deployment stacks

Even though the OutSystems platform does not install or require a version of Log4j2 affected by this vulnerability, your organization may have installed other versions of Log4j2 in the OutSystems platform servers for other reasons. Therefore, it is a best practice to scan the servers where the OutSystems platform is installed for versions of Log4j affected by the vulnerability.

Usage inside OutSystems corporate

Finally, all known vulnerabilities from internal usage of log4j2 have been addressed within OutSystems corporate systems.

Our security team will continue to monitor any developments in this situation.

Point of contact for future follow-ups:

https://success.outsystems.com/Support

https://www.outsystems.com/compliance/csirt/