Log4J library issue does not affect Bonita

A critical security flaw has been discovered on the Log4J library.

This library is widely used in Java applications, and we would like to reassure you about its impact on the Bonita platform.

The Bonita platform does not use the Log4J library on runtimes, so it is not exposed to the zero-day flaw recently detected. The Bonita Cloud team is already working on the service to increase the level of security.

The Log4J library is present in the development suite (Studio / UID). These components are only used in local mode (on an isolated machine), and not open on an external service. The risk is almost zero.

However, we urge you to check your custom code, code bases and repository, to be sure that you have no dependencies on Log4J (for example in a REST API extension).

If necessary, please apply the corrective measures proposed by your IT security department, or deactivate the code that uses Log4J during the time it takes to implement corrective measures.

You can find some examples and suggestions in the following article:

• Guide: How To Detect and Mitigate the Log4Shell Vulnerability

The article also contains a detection tool for your library code.