Log4j critical vulnerability: CVE-2021-44228

I reached out to our CSM and received the following communication for the time being.

The UiPath Security and Product Engineering teams are completing the exposure analysis of the Log4J vulnerability, categorized as CVE-2021-44228 and taking mitigation actions. At this time, UiPath has found no evidence of risk associated with this vulnerability for the following products:

  • Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.)
  • Orchestrator
  • Automation Hub (including Task Capture)
  • Data Services
  • Task Mining
  • Process Mining
  • Test Manager
  • Automation Ops
  • Action Center
  • Apps
  • AI Center
  • HAA
  • All UiPath Activity Packages published to the UiPath Official Feed
  • Automation Cloud supporting services not accessible by customers

The following products are still under investigation by UiPath:

  • Insights
  • Automation Suite supporting services

Customers using Elastic Search which is commonly leveraged alongside UiPath products should be aware that Elastic has announced that that versions 6.x and 7.x are mitigated, however customers should follow Elastic announcements via their blog.