CVE-2021-44228 (log4shell) and Redgate's products

15th December 2021

This page details the results of Redgate's investigation into the impact of the recent vulnerability in log4j, CVE-2021-44228.

Redgate's products

None of Redgate's products include log4j. You do not need to upgrade any of Redgate's products to mitigate this vulnerability.

If you are using Flyway's Java integration, it is able to use a version of log4j loaded on its classpath by your code - if you choose to do this, you should ensure you are using a non-vulnerable version of log4j. The Flyway CLI does not use log4j.

Redgate's business systems

Redgate conducted an assessment of its business systems on 10th December 2021.

A small number of our systems were found to be potentially vulnerable; we undertook remediation of these systems through 11th December 2021.

We found no evidence of malicious activity prior to remediation.

Update 2021-12-17

Following the disclosure of additional CVE-2021-45046 and further mitigations required for log4j 2.15.0, we have re-assesed our infrastructure and upgraded to log4j 2.16.0 or removed the JndiLookup class as appropriate. We do not rely on earlier mitigations using log4j2.formatMsgNoLookups.