IMPORTANT: This is NOT related to Log4j CVE-2021-44228, which still MUST be addressed.

The intention of this article is to make customers aware, and alleviate any concerns, proactively.

We do not believe GemFire is vulnerable to the new Log4j 2.15 based CVE-2021-45046 initially described here, CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack .

However, users' applications or custom logging configurations that use context lookups or ThreadContext Map patterns may be impacted. It remains important to examine all of your own applications and client side logic to confirm you are not introducing any vulnerabilities on your end.

Product Version: 9.10
OS: ALL

Beyond examining your own application and client-side code, no additional steps are necessary to avoid this issue with GemFire.

You must still take action to incorporate any suggested workarounds to avoid CVE-2021-44228. To permanently fix the issue, you can upgrade to a new version of GemFire available on Tanzu Network.