2021-12-13 12:42 UTC
SugarCRM does not make use of the affected library.
ElasticSearch - used by Sugar - does, however risk is low.
Per current information from Elastic, the ElasticSearch servers are not subject to remote code execution via this vulnerability, and data within the ElasticSearch cluster cannot be accessed. See: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 for more information.
Sugar Cloud instances are already secured.
On Site instance administrators should apply the JVM option:
to their ElasticSearch services and should ensure that any and all other processes that may be subject to the vulnerability are patched, upgraded, or have mitigations applied as needed.
Further general information can be found at the following locations:
We will update you if anything changes or new information becomes known.
Advanced Support Engineer / Support Security Engineer, SugarCRM Support