Blogs Infinispan and Log4j CVE-2021-44228

Infinispan and Log4j CVE-2021-44228

Dear Infinispan community,

We’ve just released 13.0.3.Final, 12.1.8.Final and 11.0.13.Final to address the very serious CVE that affects log4j-core. Additionally, we have released upgraded versions of the Infinispan Operator to match the server versions: 2.2.2.Final for Infinispan 13.0 and 2.1.6.Final for Infinispan 12.1. Please upgrade as soon as you can. Refer to our tracking Jira ISPN-13562 for versions.

What’s affected

We include log4j-core in our server distributions, including the images. We are fixing the issue by upgrading to Log4J 2.15.0.

Mitigation strategies

If you cannot upgrade, there are a several mitigation strategies you can apply. But upgrading is always the best solution.

Get it, Use it, Ask us!

We’re hard at work on new features, improvements and fixes, so watch this space for more announcements!

Please, download and test the latest release.

The source code is hosted on GitHub. If you need to report a bug or request a new feature, look for a similar one on our JIRA issues tracker. If you don’t find any, create a new issue.

If you have questions, are experiencing a bug or want advice on using Infinispan, you can use StackOverflow. We will do our best to answer you as soon as we can.

The Infinispan community uses Zulip for real-time communications. Join us using either a web-browser or a dedicated application on the Infinispan chat.

Tristan Tarrant

Tristan has been leading the Infinispan Engineering Team at Red Hat for the past five years as well as being Principal Architect for Red Hat Data Grid. He’s been a passionate open-source advocate and contributor for nearly three decades.