A high severity security vulnerability in the library Log4j was announced on CVE-2021-44228, which was published by NIST on December 10, 2021.
Diplomat MFT does not require Log4j and, therefore, removing those libraries (if present) will ensure Diplomat MFT is free from this vulnerability without any loss of function.
Diplomat MFT v8.3.1 and earlier did not ship with log4j at all (though some customers might have installed it for troubleshooting purposes). Diplomat MFT v9, released in early October, *did* ship with Log4j but it is not a required component.
Upon learning of the Log4j vulnerability, the team at Coviant Software moved swiftly to generate a new build of Diplomat MFT v9 which removes the Log4j libraries from distribution. Therefore, one way to resolve this Log4j security issue is to visit our support portal, download the latest v9 installer, and run it in “repair” mode.
Another way is to simply delete any files matching the pattern “log4j*.jar” inside the folder “C:\program files\Coviant Software\Diplomat-j\tomcatWebserver\webapps\diplomat\WEB-INF\lib”, then restart the Diplomat MFT 64 service.
We recommend that all users, regardless of version, check in the folder mentioned above to see if any “log4j*.jar” files exist, since they might have been installed manually at any point. If present, delete those files and restart the service.