cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
François
Administrator
Administrator

HOPEX platform does not incorporate nor make any use of Apache LOG4J and is not concerned by vulnerability CVE-2021-44228.

The full HOPEX source code is submitted every day to an Open Source Security Scanner, explicitly aimed at detecting weak or obsolete open source code, embedded directly or by cascade calls. Last days scans have not raised any alert, confirming that LOG4J is not by any way in the perimeter of HOPEX (out of the box) installation.

 

Note that the Talend component “HopexToSN_Business Process_013.zip” used to exchange data between Hopex and Service Now is using Log4j1.x which is not concerned by the vulnerability

https://logging.apache.org/log4j/2.x/security.html

 

Pre-HOPEX GRC platform (before 2013, no longer supported) did use LOG4J.

As a consequence, old documentation related to GRC platform may mention LOG4J.

Do not mix GRC platform with GRC Solution (now called IRM Solutions) on HOPEX platform.

 

For more information, please consult KB 00009869