- Currently JOC Cockpit and JobScheduler use log4j2 version 2.13.0.
- A vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2020-9488
- Severity Level: MINOR
- There is no evident exploit with JobScheduler as the vulnerability is about use of the SMTPS protocol which does not apply to the logging behavior of JobScheduler that makes use of log files only. However, some users might have configured log4j properties for use with SMTPS.
- We therefore consider this a minor vulnerability.
- JOC Cockpit, JobScheduler Master and Agents use log4j2.