On December 12, 2021 Apache Log4J 2.x reported that this widely used Java logging framework has been exposed to a serious security vulnerability. OpenRules Decision Manager like many other Java-based products uses Log4J. To mitigate this problem, we quickly switched to the recommended version 2.15.0 of log4j that was supposed to remove the above vulnerability. However, on December 14 the second vulnerability was discovered and Apache released the version 2.16.0 to address the problem.
Based on the seriousness of these events, we decided to create a new emergency release 8.4.3 of OpenRules Decision Manager that uses log4j version 2.16.0 (not 2.15.0). We’ve already built the first version 8.4.3 and it’s going through thorough testing. For urgent situations we made the evaluation version 8.4.3 available from here. Our team will continue to work hard to make sure that well-tested Release 8.4.3 will be available to all customers tomorrow morning. If you have any questions, please contact firstname.lastname@example.org.