Customer Security is a top priority for Rocket Software and is an essential part our customer experience. We are constantly improving our capabilities, practices, and our people to deliver products and services that meet the highest security standards. 

However, even with this commitment to security excellence, there are still cases where vulnerabilities can be present.

The Rocket Software Security Teams were recently made aware of a vulnerability in the widely utilized Apache Java logging library Log4j2 package that can allow an attacker unauthenticated remote code execution (RCE) access to the servers that the run this software. This vulnerability has been tracked as CVE-2021-44228 and is classified as severe.

With regard to Rocket Software's products, we have identified which software platforms and versions contain the vulnerable Log4j2 utility code and are actively remediating the affected products.  Rocket Software highly recommends that customers running impacted software packages follow the Apache recommended mitigation process which can be found here.

Rocket Software's information security team has implemented preliminary mitigations to protect our enterprise resources against this threat. We continue to evaluate this evolving risk and will deploy additional preventive and detective capabilities within our enterprise technology environment.

Customer Security is a top priority for Rocket Software and is an essential part our customer experience. We are constantly improving our capabilities, practices, and our people to deliver products and services that meet the highest security standards. 

However, even with this commitment to security excellence, there are still cases where vulnerabilities can be present.

The Rocket Software Security Teams were recently made aware of a vulnerability in the widely utilized Apache Java logging library Log4j2 package that can allow an attacker unauthenticated remote code execution (RCE) access to the servers that the run this software. This vulnerability has been tracked as CVE-2021-44228 and is classified as severe.

With regard to Rocket Software's products, we have identified which software platforms and versions contain the vulnerable Log4j2 utility code and are actively remediating the affected products.  Rocket Software highly recommends that customers running impacted software packages follow the Apache recommended mitigation process which can be found here.

Rocket Software's information security team has implemented preliminary mitigations to protect our enterprise resources against this threat. We continue to evaluate this evolving risk and will deploy additional preventive and detective capabilities within our enterprise technology environment.

Hi David,

You said:
With regard to Rocket Software's products, we have identified which software platforms and versions contain the vulnerable Log4j2 utility code and are actively remediating the affected products.  Rocket Software highly recommends that customers running impacted software packages follow the Apache recommended mitigation process which can be found here.

Okay - how do I as a customer determine if I'm running an "impacted software package"? 

I asked earlier today in the Universe specific forum if Universe was affected.   My post was promptly responded to, telling me that Universe isn't affected, but that an official statement would be forthcoming.

If your statement is "the official statement" from Rocket - it's unfortunately lacking the detail I need to respond to my management with.

Thanks in advance for any further clarification you can provide.