On Monday, December 13, 2021, the United States Cybersecurity and Infrastructure Security Agency issued guidance about vulnerability CVE-2021-44228 in Apache’s Log4j software, which is a Java-based library used for logging purposes.
Security is a top priority at Flywheel. The Flywheel team has conducted a full impact assessment of vulnerability CVE-2021-44228. Flywheel has determined that there are no Flywheel components or services that are vulnerable to the exploit in versions >8.7.0 (learn how to find your Flywheel version in our article). The assessment included Flywheel’s Elasticsearch component (ES 6.8.0), which has been confirmed by Elasticsearch to have no vulnerability to remote code execution. Flywheel XNAT users also received an email detailing our response.
Please contact Flywheel Support if you have any additional questions.