KIE & Log4j2 exploit CVE-2021-44228
Blog: Drools & jBPM Blog
The whole KIE ecosystem (Kogito, Drools, OptaPlanner and jBPM) moved to SLF4J, a different logging facade with Logback as default implementation, a few years ago and it is therefore not vulnerable by CVE-2021-44228. Accordingly, our recommendation is to ensure your applications are updated to the latest community versions (at the time of writing, Drools, jBPM, KIE Workbench/Business Central and KIE Server 7.62.0.Final, Kogito 1.14.1.Final, Optaplanner 8.14.0.Final).
Therefore if you’re using KIE projects as libraries in your projects you are not affected by this problem. Conversely the only exception to this is the AppFormer Dashbuilder, that declares the dependency to Log4j2 without actually using it. Dashbuilder is a monitoring component included in Business Central. We are about to remove the dependency declaration just in case.
In case you’re declaring and/or using Log4j2 dependency in your own KIE projects, please make sure to upgrade Log4j2 as soon as possible to version 2.15.0 which solves this problem.
We invite you to monitor this blog post, which will be updated in case of any future additional findings.
Further readings: http://slf4j.org/log4shell.html – official statement from SLF4J team