Since early this morning (2021-12-10T06:19:15Z) we have been investigating the potential impact on Vespa from the recently discovered vulnerability in the log4j library CVE-2021-44228.

Based on our investigations as well as guidance and analysis from our security team, we currently do not believe that any published Vespa version is vulnerable to this issue. Vespa does not include log4j versions >= 2.0, nor any use of the vulnerable JMSAppender class present in earlier versions of the library.

Your Vespa application may still be affected if log4j is included in your application package, either directly or transitively! We believe most uses of the library can be discovered by running the following command in your application package Maven project root and inspecting the output:

mvn dependency:tree

We will release a version of Vespa only including log4j >= 2.15 as soon as all our dependencies have been updated.

Update: We have completely removed all use of log4j from Vespa since version 7.520.3, released 2021-12-22.

Update 2: On Vespa Cloud, we have enforced that user applications do not contain any log4j dependencies older than version 2.17.1 since Vespa 7.528.38, released 2022-01-17.