We are actively investigating the impact of the log4j2 library vulnerability (CVE-2021-44228) disclosed on December 9 2021, as some of the components of our products contain this common logging library.
WebGIS is based on GeoServer which includes log4j as a dependency. The version of log4j installed at customer sites and within our hosted cloud environment (v1.2.17) is unaffected by this vulnerability. However, since on-premise installations may have been manually updated by Local Authority IT Support teams to a later version, we recommend that on-premise installations of GGP WebGIS are checked to ensure that the original log4j library remains installed. See http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html for further information.
GGP4/GGP5 core desktop products (GGP, NGz and SNN) run on a non-Java runtime and therefore are unaffected by the log4j2 library vulnerability. It should be noted that GGP desktop products can launch external third party software applications, but we cannot be responsible for the vulnerability in any such third party software application launched this way. It is the responsibility of the respective software provider to ensure any vulnerability in their software is mitigated.
