This article covers GemFire products impacted by the following Apache Log4j CVE's:

1. CVE-2021-45046
2. CVE-2021-44228
3. CVE-2021-45105

GemFire is impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).

GemFire is not impacted by the latest CVE-2021-45105.

Product Version: 9.10
OS: ALL

These well documentation log4j CVE's have been addressed in new versions of GemFire based products.

These new versions of GemFire are now using the newly available log4j v2.16, which resolves the first two log4j CVE's known to potentially impact GemFire.

Newer versions of GemFire across all products will incorporate log4j v2.17 at that time.

VMware Tanzu GemFire has released version 9.10.13 to address these issues. VMware Tanzu GemFire For VMs has released various versions such as v1.10.9, v1.12.4, v1.13.5, v1.14.2 to address these issues.

To protect our current and future customers, we are removing all GemFire products vulnerable to these CVE's from public access. If you decide you need access to some older version, open a support ticket to initiate a discussion on best next steps.