Dear all,

Any return for this question? We don't have a oficial return from Microfocus about this case.

Thanks in advance.

Statement made available from Micro Focus legal around 12/12/2021 @ 5:34 pm CST.

1. Are you aware of Log4J or Logshell/LogJam ( CVE-2021-44228 )?
   Yes, and at this point Micro Focus’ review has found no indications of a vulnerability being exploited. We continue to monitor closely.
2. What is Micro Focus doing?
   • The appropriate security teams are fully engaged and have been since we were first alerted on Friday. 
   • We are following Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) guidance on this issue.
   • In addition, Micro Focus has implemented a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal processes, we are working through this subject. 
   • At the Micro Focus network enterprise level our internal security tooling has been updated and we will continue to monitor our operations for issues.  

----

If you've identified anything to the contrary you can report it here: www.microfocus.com/.../product-security-response-center

Hi Ebell,

We can create a template at the audit workbench to block any project what contain call to lib org.apache.logging.log4j:log4j-core? If is possible, can you tel me how?

Here are a couple of links with additional information community.microfocus.com/.../summary-of-cyberres-impact-from-log4j-or-logshell-logjam-cve-2021-44228 and www.microfocus.com/.../log4j