...
Grid Protection Alliance
Grid Solutions Division

Response to CISA Apache Log4j Vulnerability Update

December 2021
Vulnerability
...

The recently reported, highly publicized Apache Log4j 2 vulnerability CVE-2021-44228 does not affect any GPA applications. All officially released GPA applications use .NET, not Java, and custom logging services found in the Grid Solutions Framework, developed and maintained by GPA.
The only Java components ever developed by GPA are a GEP data subscriber for Java and Hadoop interfaces used to read data from the v1.0 openHistorian. The Hadoop interface code does reference an older version of Log4j, specifically version 1.2.14 and 1.2.15, so these versions are not affected only Apache Log4j 2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable.