13.12.2021 NICE products and Apache Log4j2 Issue (CVE-2021-44228)

Here is the official statement from NICE related to NICE products and the Apache LOG4J2 issue:

EnginFrame Logo

NICE EnginFrame from version 2019.0-r1424 to 2021.0-r1307 is affected by the security issue. NICE recommends that you upgrade to the latest EnginFrame version available on https://download.enginframe.com/ (version 2021.0-r1315 or newer) or update the “Log4j2″ library in your NICE EnginFrame installation following the instructions at “NICE EnginFrame – Updating Log4j from 2.13 to 2.15.0“. Older versions of NICE EnginFrame are not using “Log4j2“ and so they are not affected by this issue.

Following a recent update for the issue, which led to an additional update of “Log4j2″ to version 2.17.0, we strongly encourage customers who manage environments containing “Log4j2” to update to the latest version of the library, even if they already updated to version 2.15.0 or 2.16.0 in the past few days.

NICE DCV, including the NICE DCV Session Manager, does not use “Log4j2” and so is not affected by the security issue. If you are using NICE EnginFrame Views as a session broker for your NICE DCV installation, please upgrade or patch your NICE EnginFrame installation as recommended above.

In addition here is a hot patch to patch running Java applications using vulnerable Log4j2 versions: https://aws.amazon.com/de/blogs/opensource/hotpatch-for-apache-log4j/.

Any questions just let us know.