IMPORTANT: Please see the latest announcement here.
SailPoint has fully mitigated the Log4J RCE vulnerability (CVE-2021-44228) in all impacted products.
We are aware of the recently-identified Log4J DoS vulnerability (CVE-2021-45046) that is also applicable to the impacted products. While this new DoS vulnerability has a low severity (CVSS score of 3.7 per NVD), we are actively working on addressing this vulnerability by upgrading to Log4J 2.16.0 and expect product releases that include the updated library to be available in the coming days.
We will be issuing further communications once this issue has been addressed. No action is needed at this time.
Earlier today, a critical vulnerability in the log4j library used in several SailPoint SaaS solutions (IdentityNow and IdentityAI) was announced and is being tracked by CVE-2021-44228.
SailPoint is actively tracking this vulnerability and has implemented mitigating controls in our SaaS edge services. Teams are actively working to complete additional mitigations and remediations associated with on-premise services. Estimated completion for internal services is tomorrow, Dec 11th.