Last updated on: 5th May, 2022
ManageEngine products bundled with vulnerable Log4j2 (as of 13th December, 2021):
Jar version in bundled dependency
M365 Manager Plus
Exchange Reporter Plus
Cloud Security Plus
M365 Security Plus
Please note that we have not identified any exploitable cases due to Log4j2 in the above products as we do not use Log4j directly for logging. But, some of the third parties we use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below:
Other ManageEngine products that are not listed above are not impacted by this vulnerability.
We are continuing to analyze the issue and will update this advisory if any new information becomes available.