Log4J Remote Code Execution (RCE) and Denial of Service (DoS) Vulnerabilities Update - 12/16/21
Impacted products: IdentityNow, IdentityIQ, File Access Manager, and IdentityAI
SailPoint has mitigated the Log4J RCE vulnerability (CVE-2021-44228) in all impacted products per the recommendations provided by the Apache Logging Services Project. We are aware of newly-released analysis stating that the previously-provided recommendation does not fully mitigate the RCE vulnerability. We are also aware of the recently-identified Log4J DoS vulnerability (CVE-2021-45046) that is applicable to the impacted products.
We are actively working on fully addressing both vulnerabilities by upgrading to Log4J 2.16.0. We expect product releases that include the updated library to be available by the end of day (CST) Friday 12/17/2021.
We will be issuing further communications once new releases are available. No action is needed at this time.