Outage in Mendix

Log4j-core vulnerability: CVE-2021-44832

Resolved Maintenance

December 29, 2021 - Started over 2 years ago - Lasted 3 months
Official incident page

Need to monitor Mendix outages?
Stay on top of outages with IsDown. Monitor the official status pages of all your vendors, SaaS, and tools, including Mendix, and never miss an outage again.
Start Free Trial

Outage Details

On Tuesday, December 28, a new log4j-core vulnerability, CVE-2021-44832, was disclosed. The severity of this new vulnerability is classified as Moderate, with a base CVSS score of 6.6. After analysis, we have concluded this vulnerability can’t be exploited in the Mendix Runtime. To prevent false positives from code scanners, we will update the log4j library (log4j-api, not log4j-core) used by the runtime and bundled with Mendix Studio Pro. Given everything mentioned above, we will do this in our regular release schedule. We recommend our customers to check their projects and update the log4j-core library to the latest version, currently 2.17.1, as well if their project contains a log4j-core library below version 2.17.1.

Components affected

Mendix Cloud Dedicated EU-1 Mendix Cloud V4 US-West Mendix Cloud V3 US Mendix Cloud V3 EU Mendix Cloud V4 IE Mendix Cloud V4 US-East Mendix Cloud V4 EU Mendix Cloud V4 Asia Pacific Mendix Cloud V4 Free Tier EU Mendix Cloud V4 UK

Latest Updates ( sorted recent to last )

MONITORING over 2 years ago - at 02/07/2022 02:27PM

We have released Mendix 9.10.0 and 9.6.7, which include version 2.17.1 of the log4j library, mitigating CVE-2021-44832.

We will also release patches including this library version for Mendix 8.18 and 7.23. We will inform you when this is done.

IDENTIFIED over 2 years ago - at 12/29/2021 11:03AM

On Tuesday, December 28, a new log4j-core vulnerability, CVE-2021-44832, was disclosed. The severity of this new vulnerability is classified as Moderate, with a base CVSS score of 6.6.
After analysis, we have concluded this vulnerability can’t be exploited in the Mendix Runtime.

To prevent false positives from code scanners, we will update the log4j library (log4j-api, not log4j-core) used by the runtime and bundled with Mendix Studio Pro. Given everything mentioned above, we will do this in our regular release schedule.

We recommend our customers to check their projects and update the log4j-core library to the latest version, currently 2.17.1, as well if their project contains a log4j-core library below version 2.17.1.

Latest Mendix outages

Identity Services- Login to certain StudioPro versions are not functioning as expected - 5 days ago

Issues with deployment of new applications - 8 days ago

Technical Contact not visible in General Settings UI - 19 days ago

DNS Issue impacting site availability - 23 days ago

Pipeline portal, Webhook portal reduced functionality - 23 days ago

Easily monitor Mendix and all your third-party status pages

With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.

Start free trial

No credit card required · Cancel anytime · 3170 services available

Integrations with Slack Microsoft Teams Google Chat Datadog PagerDuty Zapier Discord Webhook

Setup in 5 minutes or less

How much time you'll save your team, by having the outages information close to them?

14-day free trial · No credit card required · Cancel anytime

Start today for FREE