Sonatype Product Log4j Vulnerability Status

Sonatype Lifecycle does not contain the vulnerable components of log4j and is not affected by CVE-2021-44228 or CVE-2021-45046. No action is necessary.

Sonatype Lifecycle primarily uses slf4j 1.x, which internally delegates to logback 1.x. Where we have dependencies that refer to log4j specifically, we use log4j-over-slf4j, which is not impacted by CVE-2021-44228 or CVE-2021-45046.

Sonatype Repository Firewall is packaged with Sonatype IQ Server. The IQ Server is unaffected by CVE-2021-44228 or CVE-2021-45046. No action is necessary.

Nexus Repository does not contain the vulnerable components of log4j and is not affected by CVE-2021-44228 or CVE-2021-45046. No action is necessary.

Nexus Repository primarily uses slf4j 1.x, which internally delegates to logback 1.x. Nexus Repository does use some log4j components such as log4j-over-slf4j, but none are affected by CVE-2021-44228 or CVE-2021-45046.

Nexus Repository OSS and Pro 3.x contain an embedded instance of Elastic Search; Nexus Repository and its embedded Elastic Search instance do not contain vulnerable log4j components.

The Nexus Repository Database Migrator utility does not contain the vulnerable components of log4j and is not affected by CVE-2021-44228 or CVE-2021-45046. No action is necessary.

The migrator does include log4j-api 2.x (not impacted by CVE-2021-44228 or CVE-2021-45046), but not log4j-core. It uses the newer version of the log4j-over-slf4j bridge: https://logging.apache.org/log4j/2.x/log4j-to-slf4j/