Analytica not impacted by log4j
Many people have been asking us this week whether Analytica is impacted by the log4j vulnerability. The answer is no. Analytica (including Free, Professional, Enterprise, Optimizer and ADE) does not use any Java code, nor does it use the log4j library nor any components that use the log4j library. Hence, this vulnerability DOES NOT impact the Analytica software.
On December 10, 2021, Apache Software Foundation released an emergency security update for a critical zero-day vulnerability in Log4j, a Java library that provides logging capabilities. The vulnerability identified as CVE-2021-44228 also called "Log4Shell," has a CVSSv3 severity score of 10/10. The vulnerability affects the Apache log4j Java logging library between versions 2.0 and 2.14.1. Any applications or systems utilizing this library are vulnerable to this attack - this means any server side application, or client side application that uses the vulnerable log4j library can be exploited. Successful exploitation of this vulnerability will allow an unauthenticated attacker to perform remote code execution, if a user-controlled string is logged, leading to full control of a vulnerable server or application.