These patch releases address the Log4j vulnerability discovered December 9, 2021.

A patch has been released to move dependencies to Log4j 2.17.1 for Corda 5 Developer Preview 1.0.1.

A patch has been released to move dependencies to Log4j 2.17.1 for Corda Enterprise 4.8.6.

You can find more information about this patch release in the Corda Enterprise 4.8 release notes.

A patch has been released to move dependencies to Log4j 2.17.1 for:

  • CENM 1.5.4
  • CENM 1.4.4
  • CENM 1.3.5
  • CENM 1.2.6

You can find more information about this patch release in the respective CENM release notes.

A patch has been released to move dependencies to Log4j 2.17.1 for:

  • Corda Enterprise 4.7.6
  • Corda Enterprise 4.6.8
  • Corda Enterprise 4.5.9
  • Corda Enterprise 4.4.11
  • Node management console 1.0.3
  • Flow management console 1.0.3
  • Business Network membership management 1.1.2

You can find more information about this patch release in the respective CENM release notes.

Business Network Manager tool 1.0.1 update has been released. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

An update for CENM 1.4.3 has been released, and version 1.0.2 has been released for the node management and flow management consoles. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

Investigations are in progress following the release of Log4j 2.17.0. However, as effective countermeasures against the vulnerabilities identified in earlier versions have now been implemented, the update to Log4j 2.17.0 (or the latest version at that time) will be available at the end of January 2022.

Updates for CENM 1.5.3 and the CENM Management Console have been released. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

Investigations are in progress following the release of Log4j 2.17.0. As Corda’s explicit disabling of Java serialization is an effective countermeasure against the vulnerabilities, the update to Log4j 2.17.0 (or the latest version at that time) will be available at the end of January 2022.

CENM 1.3.4 and Business Network Manager tool 1.1.1 updates have been released. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

All planned Corda OS and Corda Enterprise updates have been released. CENM 1.2.5 has been released. Please check the patch release timetable for the updated schedule of outstanding patches. Some CENM patches have been pushed back from Dec 17 to Dec 20.

All fixes move dependencies to the latest secure patch of Apache Log4j - 2.16.0.

Patch releases to upgrade Corda and CENM to a safe version of Apache Log4j have been accelerated. Please check the patch release timetable for new dates. Many patches have been brought forward and are now due for release on December 16.

For details of each release, and to get access to downloads, check the release notes page for your version of Corda and CENM in the docs.

In response to news of the Apache Log4j 2 vulnerability to attack, and subsequent vulnerability in the patch Log4j 2.15.0 patch, new patches for all supported versions of Corda Open Source, Corda Enterprise, and CENM are in progress.

Check the patch release timetable for expected patch release dates for your version of Corda or CENM. Use the mitigation guide to reduce your risk before upgrading to the new patch.

If a patch has been released for this version of Corda, follow the instructions in the Corda docs for upgrading nodes to a new minor version. You do not need to patch CorDapps, as they inherit Apache Log4j from the Corda runtime.

If you are waiting for the release of the required emergency patch for your current version, you can apply one of the following steps to mitigate the threat implied by the Apache Log4j vulnerability:

Use the log4j2.formatMsgNoLookups Java property. Set this property to true when specifying it as a Java parameter when running Corda as follows:

java -Dlog4j2.formatMsgNoLookups=true -jar corda.jar

Alternatively, you can configure a system environment variable which has the same effect. For example, in Linux:

export LOG4J_FORMAT_MSG_NO_LOOKUPS=true

In both cases, the Corda node must be restarted for these mitigations to take effect.

For Corda and CENM versions using an older version of log4j prior to 2.10, the mitigation outlined for later versions does not work. You should continue to check these pages as new mitigation steps are being tested and will be added as soon as possible. Refer to https://nvd.nist.gov/vuln/detail/CVE-2021-44228 or https://logging.apache.org/log4j/2.x/security.html for information in the mean time.

This table was last updated on February 11 2022 14:00 GMT.

All patches listed upgrade to Log4j 2.16.0, except Corda 5 Developer Preview 1.1 which is an upgrade to Log4j 2.17.1

Version with new patchPatch target shipping dateInterim mitigation available
Corda Enterprise 4.8.5Released Dec 16Yes
Corda Enterprise 4.7.5Released Dec 16Yes
Corda Enterprise 4.6.7Released Dec 16Yes
Corda Enterprise 4.5.8Released Dec 16Yes
Corda Enterprise 4.4.10Released Dec 16Yes
Corda Enterprise 4.3.10Released Dec 16Yes
CENM 1.5.3Released Dec 21Yes
CENM 1.4.3Released Dec 22Yes
CENM 1.3.4Released Dec 20Yes
CENM 1.2.5Released Dec 17No
Corda 5 Developer Preview 1.1Released Feb 11NA - not used in production
Business Network Manager tool 1.1.1Released Dec 17No
Business Network Manager tool 1.0.1Released Dec 24No
CENM management console (Gateway Plugin)Released Dec 21No
Node management console 1.0.2Released Dec 22No
Flow management console 1.0.2Released Dec 22No

Patch releases are not available for Corda OS.

Corda OS 4.3-4.8 Log4j dependency has been updated to v2.17.1.

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.