SailPoint has reproduced the recently-identified log4j critical vulnerability (CVE-2021-44228) in IdentityNow and has since released a patch to address this vulnerability. A new version of the Cloud Connector Gateway (CCG) has been also released to address this issue. Customers using CCG version 654 or later are no longer vulnerable and have no further action to take. The CCG version is visible to customer admins in the IdentityNow UI.
Customers should expect contact from SailPoint Support to assist with vulnerability mitigation.