Corda 5 Developer Preview 2 is now available.

Apache Log4j vulnerability patches

These patch releases address the Log4j vulnerability discovered December 9, 2021.

Update February 11 2022

A patch has been released to move dependencies to Log4j 2.17.1 for Corda 5 Developer Preview 1.0.1.

You can find more information about this patch release in the Corda 5 Developer Preview release notes.

Update February 7 2022

A patch has been released to move dependencies to Log4j 2.17.1 for Corda Enterprise 4.8.6.

You can find more information about this patch release in the Corda Enterprise release notes.

Update February 1 2022

A patch has been released to move dependencies to Log4j 2.17.1 for:

  • CENM 1.5.4
  • CENM 1.4.4
  • CENM 1.3.5
  • CENM 1.2.6

You can find more information about this patch release in the CENM release notes.

Update January 25 2022

A patch has been released to move dependencies to Log4j 2.17.1 for:

  • Corda Enterprise 4.7.6
  • Corda Enterprise 4.6.8
  • Corda Enterprise 4.5.9
  • Corda Enterprise 4.4.11
  • Node management console 1.0.3
  • Flow management console 1.0.3
  • Business Network membership management 1.1.2

You can find more information about this patch release in the release notes.

Update December 24 2021

Business Network Manager tool 1.0.1 update has been released. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

Update December 22 2021

An update for CENM 1.4.3 has been released, and version 1.0.2 has been released for the node management and flow management consoles. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

Update December 21 2021

Investigations are in progress following the release of Log4j 2.17.0. However, as effective countermeasures against the vulnerabilities identified in earlier versions have now been implemented, the update to Log4j 2.17.0 (or the latest version at that time) will be available at the end of January 2022.

Updates for CENM 1.5.3 and the CENM Management Console have been released. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

Update December 20 2021

Investigations are in progress following the release of Log4j 2.17.0. As Corda’s explicit disabling of Java serialization is an effective countermeasure against the vulnerabilities, the update to Log4j 2.17.0 (or the latest version at that time) will be available at the end of January 2022.

CENM 1.3.4 and Business Network Manager tool 1.1.1 updates have been released. Please check the patch release timetable for the updated schedule of outstanding patches.

All fixes move dependencies to Log4j 2.16.0.

Update December 17 2021

All planned Corda OS and Corda Enterprise updates have been released. CENM 1.2.5 has been released. Please check the patch release timetable for the updated schedule of outstanding patches. Some CENM patches have been pushed back from Dec 17 to Dec 20.

All fixes move dependencies to the latest secure patch of Apache Log4j - 2.16.0.

Update December 16 2021

Patch releases to upgrade Corda and CENM to a safe version of Apache Log4j have been accelerated. Please check the patch release timetable for new dates. Many patches have been brought forward and are now due for release on December 16.

For details of each release, and to get access to downloads, check the release notes page for your version of Corda and CENM in the docs.

Update December 15 2021

In response to news of the Apache Log4j 2 vulnerability to attack, and subsequent vulnerability in the patch Log4j 2.15.0 patch, new patches for all supported versions of Corda Open Source, Corda Enterprise, and CENM are in progress.

Check the patch release timetable for expected patch release dates for your version of Corda or CENM. Use the mitigation guide to reduce your risk before upgrading to the new patch.

What you can do now

If a patch has been released for your current version of Corda, follow the instructions for upgrading nodes to a new minor version. You do not need to patch CorDapps— they inherit Apache Log4j from the Corda runtime.

If you are waiting for the release of the required emergency patch for your current version, you can apply one of the following steps to mitigate the threat implied by the Apache Log4j vulnerability:

For Corda OS/ENT 4.3 and above and CENM 1.3 and above

Use the log4j2.formatMsgNoLookups Java property. Set this property to true when specifying it as a Java parameter when running Corda as follows:

java -Dlog4j2.formatMsgNoLookups=true -jar corda.jar

Alternatively, you can configure a system environment variable which has the same effect. For example, in Linux:

export LOG4J_FORMAT_MSG_NO_LOOKUPS=true

In both cases, the Corda node must be restarted for these mitigations to take effect.

Older versions of Corda

For Corda and CENM versions using an older version of log4j prior to 2.10, the mitigation outlined for later versions does not work. You should continue to check these pages as new mitigation steps are being tested and will be added as soon as possible. Refer to https://nvd.nist.gov/vuln/detail/CVE-2021-44228 or https://logging.apache.org/log4j/2.x/security.html for information in the mean time.

Corda Enterprise and CENM patch release timetable for Apache Log4J issue

This table was last updated on February 11 2022 14:00 GMT.

All patches listed upgrade to Log4j 2.16.0, except Corda 5 Developer Preview 1.1 which is an upgrade to Log4j 2.17.1

Version with new patch Patch target shipping date Interim mitigation available
Corda Enterprise 4.8.5 Released Dec 16 Yes
Corda Enterprise 4.7.5 Released Dec 16 Yes
Corda Enterprise 4.6.7 Released Dec 16 Yes
Corda Enterprise 4.5.8 Released Dec 16 Yes
Corda Enterprise 4.4.10 Released Dec 16 Yes
Corda Enterprise 4.3.10 Released Dec 16 Yes
CENM 1.5.3 Released Dec 21 Yes
CENM 1.4.3 Released Dec 22 Yes
CENM 1.3.4 Released Dec 20 Yes
CENM 1.2.5 Released Dec 17 No
Corda 5 Developer Preview 1.1 Released Feb 11 NA - not used in production
Business Network Manager tool 1.1.1 Released Dec 17 No
Business Network Manager tool 1.0.1 Released Dec 24 No
CENM management console (Gateway Plugin) Released Dec 21 No
Node management console 1.0.2 Released Dec 22 No
Flow management console 1.0.2 Released Dec 22 No

Corda OS

Patch releases are not available for Corda OS.

Corda OS 4.3-4.8 Log4j dependency has been updated to v2.17.1.

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.