A major flaw — called Log4Shell — has been discovered in the Apache Log4j logging library.
As of this weekend all branches of Simplicity version 5 were updated with the latest Log4J library then available (2.15.0) which solved the critical vulnerability mentioned above.
Today, the Apache Foundation has just released a new version of Log4J 2.x (Release 2.16.0) in order to correct definitively this vulnerability (see their latest release note: Log4j — Changes (1)
This new version has been updated on all relevant branches of the Simplicity platform. For the current branch, this corresponds to the revision 5.1.17. See our release note: Simplicity® 5/releasenote/releasenote-5.1 or our forum topic.
So you need to upgrade your instances. asap on this latest revision.
We also hope that this will be the final fix for this Log4J vulnerability...
[UPDATE — 2021-12-20]
The Apache Foundation has just released a new version of Log4J 2.x (version 2.17.0). See their release note: Log4j — Changes
This new version of Log4J2 has been updated on all relevant branches of the Simplicity platform. For the current release branch, this corresponds to revision 5.1.19. See our release note: Simplicity® 5/releasenote/releasenote-5.1 1.
Therefore, you should upgrade your instances again as soon as possible on this latest revision. We also hope — again — that this will be the final fix for these Log4J vulnerabilities...
To note : This vulnerability does not affect Simplicity 4.0, as it did not use Log4J 2.x, but Log4J 1.x. However, the Apache Foundation indicates that the JMS appenders and those based on JNDI from Log4J 1.x may also be potentially vulnerable.
The Log4J configuration delivered by default with Simplicity only uses basic appenders (console and file), so if you have not customized this configuration there is no risk, otherwise be sure to deactivate any vulnerable appenders that you may have added.