HCSEC-2021-32

**Bulletin ID:** HCSEC-2021-31 **Affected Products / Versions:** None known at this time. **Publication Date:** December 13, 2021 **Summary** HashiCorp products and services have no known exposure to the Apache Log4j 2 security issue (CVE-2021-44228) at this time. This bulletin will be updated if this situation changes. **Background** A high severity vulnerability impacting multiple versions of [Apache Log4j 2](https://logging.apache.org/log4j/), [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228), was [disclosed publicly](https://github.com/apache/logging-log4j2/pull/608) on December 9, 2021. **Details** CVE-2021-44228 relates to a vulnerability in Log4j 2, a Java logging framework. Generally, HashiCorp products and services are built using the Go language and ecosystem, and do not utilize Java or specifically Log4j 2. Our investigation continues, but HashiCorp products and services have no known direct exposure to this vulnerability at this point in time. More broadly, beyond HashiCorp’s core products and services, HashiCorp utilizes software products & cloud services from a range of third parties across our business. We continue to systematically evaluate these for exposure and take remediation action as appropriate. **Remediation** None necessary at this time. This bulletin will be updated if this situation changes. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.*