Hi Sonatype Community,
On Friday, the internet was set on fire with news of the extremely widespread Log4j vulnerability and quick mass scanning efforts to exploit it by bad actors. Almost no organization is unaffected.
We wanted to let you know that Sonatype products do not use log4j-core. This means our software, including Nexus Lifecycle, Nexus Firewall, Nexus Repository Manager OSS, and Nexus Repository Manager Pro in versions 2.x and 3.x, is NOT affected by CVE-2021-44228. We still advise keeping your software upgraded at the latest version.
Unsure if your organization is impacted? See our Find & Fix Log4j guide for help as you investigate your applications and environments for this vulnerability.
Explore the very latest findings around the Log4shell vulnerability in our resource center.
If you have any additional questions about this, we are happy to answer them in the thread below.
More information about this ongoing situation can also be found on the Sonatype Blog.