Last week you might have read in media about the security weakness CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) that was discovered in log4j, which is a widely used logging framework. Our security experts in product development analyzed Merlin and associated libraries that are required to run it. We can assure you that this weakness does not affect any Merlin release after at least 7.0.0 in any critical way (Versions before 7.0.0 were not checked).
- M.Core and all its modules are not affected, because log4j is not used at all
- Keycloak used by Merlin for authentication is not affected because it only includes log4j’s API, not the affected implementation. We already follow all of Keycloak’s recommendations, i.e. the JMSAppender is not enabled. (see https://github.com/keycloak/keycloak/discussions/9078)
- M.Model is also not critical. M.Model which is not a server but a client application running on the internal user's PC is not subject to the usual attack vectors from outside. Moreover M.Model is not directly affected, since we use logback for logging purposes. Currently we are in the process of checking, whether log4j may be used transitively by some component used in M.Model. If so, we would remove this potential use of log4j to be completely safe.
If you are interested in further information please read up on the CVE here https://www.lunasec.io/docs/blog/log4j-zero-day/
To continue being safe in the future we will regularly keep updating our product to the latest stable versions of libraries so we are able to provide you with safe-to-use-software. One of our means to find issues early on is an automated daily check of all included dependencies for critical vulnerabilites. This ultimately lead to our recent investigation of the relevance of this CVE for Merlin.