About Log4j Vulnerability (CVE-2021-44228)

All Visual Paradigm services are not using log4j. There is a feature in our desktop modeling tool which support generate hibernate layer source code from model (support in Standard Edition or above). In this feature Log4j is one of the default included bundled library in the generated code (user can select not include this library during code generation). Even you have this library included but as long as you not using it then this vulnerability issue will not affect you at all. Even user using log4j in generated code it still require user to run SocketServer as main class in order to expose this loophole. Furthermore the affected log4j versions are from 2.x to 2.15.0-rc1, but we are only bundle the 1.2 so it is not cover by the scope. To conclude the Log4j issue is not affect VP or the use of our product.

1 Like

Looking for the Same info. Thank you , I will figure it out more.