On Friday December 10, 2021 we observed the announcement of the unknown zero day vulnerability (CVE-2021-44228) for the commonly used logging library for Java-based software called log4j.
ProcessMaker BPM and its integrations do not require Java, thus do not use the log4j library and therefore have not been impacted by this vulnerability.
As a security measure, our team has conducted a full impact assessment since the vulnerability was initially documented, and we have found no component or service offered by ProcessMaker to be affected.
Components analyzed and identified as secure:
- ProcessMaker Cloud (Cloud Web Applications, RESTful APIs, API Gateways)
- ProcessMaker Web (Public Website)
- ProcessMaker Support (Zendesk)
- Backup Services (AWS Backup, AWS S3)
At this moment there are no components that were identified as vulnerable to the exploit.
We are constantly monitoring the response of security researchers to observe the further discovery of this vulnerability and others that may arrive. Further updates will be posted on this page as necessary.
By 6 PM ET, December, 13th, 2021