Log4j critical vulnerability: CVE-2021-44228

Since there is a new CVE (CVE-2021-44832 - Remote Code Execution - CVSS Score 6.6) I was hoping the Security Advisor page would be updated, but it isn’t. Is Insights affected by this CVE too? Are the solutions mentioned on the page enough, or are additional actions neccessary?

The patch from Apache addressing CVE-2021-44832 in 2.17.1 was released a week ago. It doesn’t appear UiPath has provided another patch for Insights based on their latest release notes.

I would suggest reaching out to your Support / CSM, or reporting a security issue to see if they are actively working on another patch and/or bring it to their attention.

Hey there, here’s the update from our security team:

This latest Apache update is non-critical. The impact appears to be just a DoS and is safe to update as part of our normal cycle, not necessary as a hotfix. Existing Insights updates do not need a further fix.

1 Like