Is Drools Business Rules Management impacted by CVE-2021-44228

418 views Asked by At

We are using Drools for our business rules. Is Drools impacted/expose to the CVE-2021-44228 (Log4Shell or Log4J/Apache/Java vulnerability

2

There are 2 answers

3
tarilabs On BEST ANSWER

The whole KIE ecosystem (Kogito, Drools, OptaPlanner and jBPM) moved to SLF4J, a different logging facade with Logback as default implementation, a few years ago and it is therefore not vulnerable by CVE-2021-44228. Accordingly, our recommendation is to ensure your applications are updated to the latest community versions (at the time of writing, Drools, jBPM, KIE Workbench/Business Central and KIE Server 7.62.0.Final, Kogito 1.14.1.Final, Optaplanner 8.14.0.Final).

from this blog post.

We invite you to keep monitoring the blog post, in the case there might be in the future any further findings.

0
alain.janinm On

Looks like its not the case. In this thread you can find all apps impacted : https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592