According to the latest update from Oracle, the previously communicated workaround to bypass the Log4j vulnerability is NOT working properly. They are still working at high pressure to find a solution to this problem. We are in constant exchange with Oracle and will inform you about any development in our news.
Statement from Oracle:
"A new CVE-2021-45046 was released, affecting org.apache.logging.log4j:log4j-core package, versions prior to 2.16.0.
The new CVE identified:
- The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations
- The previous workaround, involving the addition of "-Dlog4j2.formatMsgNoLookups=true" JVM parameter, does NOT mitigate this specific vulnerability."
Note: For an overview of possible affected vendors, click here: