IMPORTANT: Please see the latest announcement here.
Please see our respective responses below for IdentityNow and IdentityIQ:
For IdentityIQ:: SailPoint IdentityIQ Response to log4j Remote Code Execution Vulnerability
For IdentityNow: SailPoint SaaS Services Response to log4j Remote Code Execution Vulnerability
SailPoint has fully mitigated the Log4J RCE vulnerability (CVE-2021-44228) in all impacted products.
We are aware of the recently-identified Log4J DoS vulnerability (CVE-2021-45046) that is also applicable to the impacted products. While this new DoS vulnerability has a low severity (CVSS score of 3.7 per NVD), we are actively working on addressing this vulnerability by upgrading to Log4J 2.16.0 and expect product releases that include the updated library to be available in the coming days.
We will be issuing further communications once this issue has been addressed. No action is needed at this time.