Dear Users,
We would like to inform you that ServiceDesk Plus is not affected by the recent RCE vulnerability (CVE-2021-44228) reported in the Log4j framework.
What is CVE-2021-44228 vulnerability?
According to the Apache foundation, the reported vulnerability enables "an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,".
How is ServiceDesk Plus not affected by this vulnerability?
ServiceDesk Plus currently uses a non-vulnerable version (a lower version) of the Log4j framework and therefore it is not affected by the vulnerability. We at ServiceDesk Plus have also started work to upgrade our Log4j framework to the secure and latest version to avoid any potential threats in the future.