On the 10th of december 2021 information on a vulnerability was made public on the Internet. The vulnerable component was log4j2, and is a common component in many places where Java is used. The vulnerability was named “log4shell” and formally called CVE-2021-44228 in the CVE directory.

The log4j2 flaw has a base CVSS score of 10 and enables remote code execution against application. The log4j component is used in many software tools and in places which makes the attack surface very large. These issues combined gives a problem that is of grave concern to many security responsible around the globe.

Since no components in the IMPEX solution is built using Java, there are no uses of Java components such as Log4j2.

Since IMPEX does not have the vulnerable component, no part of IMPEX is affected. IMPEX station, IMPEX ICC and IMPEX repo is NOT vulnerable to the log4shell/CVE-2021-44228 vulnerability.

More information about CVE-2021-44228 is published at NIST.