Oxygen XML Editor
The Premier All-In-One XML Editing Suite
Oxygen XML Author
Single-Source XML Authoring and Multi-Channel Publishing
Oxygen XML Developer
The Required Tools for Designing XML Schemas and Transformation Pipelines
Oxygen JSON Editor
The Perfect Tool to Simplify Your JSON Editing Experience
Oxygen Publishing Engine
The Complete DITA Publishing Solution for WebHelp and PDF Output
Oxygen PDF Chemistry
Chemistry Converts HTML and XML to PDF Using CSS
Oxygen XML WebHelp
Publish DITA Content to WebHelp Output
Oxygen Styles Basket
Customize the Look and Feel of Your PDF and WebHelp Output
Oxygen XML Web Author
Engage Your Whole Organization In Content Creation
Oxygen Content Fusion
The Web-based Collaboration Platform to Craft Tomorrow's Content
Oxygen Feedback
Modern Commenting Platform
Cloud
Enterprise
Oxygen AI Positron
Enhance Your Productivity with the Power of AI
Oxygen Scripting
Automate and Run Oxygen Utilities from the Command-Line Interface
Oxygen SDK
Specifically designed for application developers and integrators
Shop
Pricing and licensing for businesses, Academic and individuals
Severity: Low2021-12-15
Security Advisories
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
log4j2.noFormatMsgLookup
The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
This behavior can be mitigated by removing the the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
CVE-2021-45046
Severity: Critical
CVSS Score: 9.0
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45046 vulnerability description. However, our default configuration doe not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.
2021-12-21 Oxygen XML Editor / Oxygen XML Developer / Oxygen XML Author: Starting with version 24.0 build 2021121518 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 23.1 build 2021121415 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 22.1 build 2021121715 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen XML Web Author: Starting with version 24.0.0 build 2021121314 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 23.1.1.2 build 2021121408 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen Content Fusion: Starting with version 4.1.4 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 3.0.1 build 2021121414 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen Feedback Enterprise: Starting with version 1.4.5 build 2021121314 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen Publishing Engine: Starting with version 24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 23.1 build 2021121413 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen XML WebHelp: Starting with version 24.0 build 2021121511 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 23.0 build 2021121412 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen PDF Chemistry: Starting with version 24.0 build 2021121611 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 23.1 build 2021121413 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 22.1 build 2021121712 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen License Server: Starting with version 24.0 build 2021121311 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Web Author PDF Plugin: Starting with version 24.0.1 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1.1.2 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Oxygen Web Author Test Server Add-on: Starting with version 24.0.0.1 the Apache Log4j library was updated to version 2.15. This version is not affected anymore by this vulnerability. Starting with version 23.1.2 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 22.1.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 XSD to JSON Schema Converter: Starting with version 24.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability. Starting with version 23.1.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Git Client: Starting with version 3.0.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
2021-12-21 Batch Documents Converter: Starting with version 3.2.1 the Apache Log4j library was updated to version 2.16. This version is not affected anymore by this vulnerability.
List of Security Advisories