2021-12-13 12:42 UTC

Hi Marco,

SugarCRM does not make use of the affected library.

ElasticSearch - used by Sugar - does, however risk is low.

Per current information from Elastic, the ElasticSearch servers are not subject to remote code execution via this vulnerability, and data within the ElasticSearch cluster cannot be accessed. See: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 for more information.

Sugar Cloud instances are already secured.

On Site instance administrators should apply the JVM option:
-Dlog4j2.formatMsgNoLookups=true

to their ElasticSearch services and should ensure that any and all other processes that may be subject to the vulnerability are patched, upgraded, or have mitigations applied as needed.

Further general information can be found at the following locations:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
https://www.lunasec.io/docs/blog/log4j-zero-day/

We will update you if anything changes or new information becomes known.

Thank you,

Kit Parenteau
Advanced Support Engineer / Support Security Engineer, SugarCRM Support