Impacted Products: IdentityIQ and File Access Manager deployments where customers have modified out of the box log4j2 configuration to allow context lookups
SailPoint has analyzed the recently-identified DoS vulnerability in Log4J (CVE-2021-45105) and has determined that since SailPoint products, other than instances of IdentityIQ and File Access Manager where the customer has made certain modifications discussed in the next sentence, do not allow context lookups, this vulnerability does not impact SailPoint products.
IdentityIQ and File Access Manager do not use context lookups out of the box, however customers have the ability to modify the out of the box pattern layouts in log4j2.properties to use context lookups which might render them susceptible to this vulnerability. As documented in the CVE and guidance from the Apache Logging Services Project, context lookups using the pattern ${ctx: should be removed or replaced with Thread Context Map patterns (%X, %mdc, or %MDC).
SailPoint plans to upgrade IdentityIQ and File Access Manager to Log4J 2.17.0 in January 2022.
