Oxygen XML Editor
The Premier All-In-One XML Editing Suite
Oxygen XML Author
Single-Source XML Authoring and Multi-Channel Publishing
Oxygen XML Developer
The Required Tools for Designing XML Schemas and Transformation Pipelines
Oxygen JSON Editor
The Perfect Tool to Simplify Your JSON Editing Experience
Oxygen Publishing Engine
The Complete DITA Publishing Solution for WebHelp and PDF Output
Oxygen PDF Chemistry
Chemistry Converts HTML and XML to PDF Using CSS
Oxygen XML WebHelp
Publish DITA and DocBook Content to WebHelp Output
Oxygen Styles Basket
Customize the Look and Feel of Your PDF and WebHelp Output
Oxygen XML Web Author
Engage Your Whole Organization In Content Creation
Oxygen Content Fusion
The Web-based Collaboration Platform to Craft Tomorrow's Content
Oxygen Feedback
Modern Commenting Platform
Cloud
Enterprise
Oxygen AI Positron
Enhance Your Productivity with the Power of AI
Oxygen Scripting
Automate and Run Oxygen Utilities from the Command-Line Interface
Oxygen SDK
Specifically designed for application developers and integrators
Shop
Pricing and licensing for businesses, Academic and individuals
Severity: Critical2021-12-10
Security Advisories
Apache Log4j2 <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
See also https://www.oxygenxml.com/oxygen_xml_vulnerability_analysis_faq.html for more information.
First please check in the Affected Products/Versions table if a fix is available for your current version and update your installation to use the new maintenance build.
Otherwise, if you cannot upgrade the application, patch or update the Log4j library:
zip *.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For additional details please see also Log4Shell - Oxygen XML Vulnerability Analysis FAQ
Oxygen Web Author Test Server Add-on / XSD to JSON Schema Converter / Git Client / Batch Documents Converter: If you cannot upgrade to the updated fix version, uninstall the plugin.
CVE-2021-44228
Severity: Critical
CVSS Score: 10
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44228 vulnerability description. However, we patched our public services against this vulnerability.
2021-12-20 Add recommendation to use the oxygen-log4j-patcher and content-fusion-log4j-patcher as mitigation.
2021-12-17 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML Author: Starting with version 22.1 build 2021121715 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-17 Oxygen Publishing Engine: Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-17 Oxygen XML WebHelp: Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-17 Oxygen PDF Chemistry: Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-17 Updated the Mitigation section to match the latest mitigation recommendations from Apache Log4j.
2021-12-16 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML Author: Starting with version 24.0 build 2021121518 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-16 Oxygen XML Web Author: Starting with version 24.0.0.2 build 2021121606 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-16 Oxygen Content Fusion: Starting with version 4.1.4 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-16 Oxygen Publishing Engine: Starting with version 24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-16 Oxygen XML WebHelp: Starting with version 24.0 build 2021121511 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-16 Oxygen PDF Chemistry: Starting with version 24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-16 Oxygen License Server: Starting with version 24.0 build 2021121512 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 Web Author PDF Plugin: Starting with version 24.0.1 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1.1.2 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 Oxygen Web Author Test Server Add-on: Starting with version 24.0.0.1 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1.2 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 22.1.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 XSD to JSON Schema Converter: Starting with version 24.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 23.1.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 Git Client: Starting with version 3.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-15 Batch Documents Converter: Starting with version 3.2.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML Author: Starting with version 24.0 build 2021121317 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1 build 2021121415 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen XML Web Author: Starting with version 24.0.0 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1.1.2 build 2021121408 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen Content Fusion: Starting with version 4.1.3 build 2021121315 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 3.0.1 build 2021121414 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen Feedback Enterprise: Starting with version 1.4.5 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen Publishing Engine: Starting with version 24.0 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1 build 2021121413 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen XML WebHelp: Starting with version 24.0 build 2021121311 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.0 build 2021121412 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen PDF Chemistry: Starting with version 24.0 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1 build 2021121413 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-14 Oxygen License Server: Starting with version 24.0 build 2021121311 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
2021-12-13 Updated mitigation procedure and linked FAQ web page for more information.
List of Security Advisories