# Nexthink and Log4j

## Question <a href="#nexthinkandlog4j-question" id="nexthinkandlog4j-question"></a>

Is Nexthink Experience vulnerable to the recently disclosed security issue affecting Log4j?

## Answer <a href="#nexthinkandlog4j-answer" id="nexthinkandlog4j-answer"></a>

Following a thorough security assessment of Nexthink Experience, a third-party library with transient dependency on Log4j was found in our cloud platform.

Although not exploitable since the library was not used, the choice was made to preventively patch the third-party library.

Please note that Nexthink Experience client-side applications such as Collector and Finder are not written in Java and are, therefore, not impacted by this vulnerability.

Nexthink also performed a vulnerability assessment with our sub-pressors, to ensure their services are protected against the vulnerability. We can therefore confirm that our cloud platform sub-processors are either not vulnerable or have been patched.

## Mitigating actions <a href="#nexthinkandlog4j-mitigatingactions" id="nexthinkandlog4j-mitigatingactions"></a>

Preventively, Nexthink has rolled out a maintenance release to patch the third-party library. All backend components were successfully patched on December 16.

## Executive Summary <a href="#nexthinkandlog4j-executivesummary" id="nexthinkandlog4j-executivesummary"></a>

A remote code execution vulnerability was publicly disclosed on December 9, 2021. Log4j open-source library is one of the most popular Java logging frameworks. The vulnerability affects all Java applications that use log4j with versions from 2.0 up to 2.14.1.

## Vulnerability information <a href="#nexthinkandlog4j-vulnerabilityinformation" id="nexthinkandlog4j-vulnerabilityinformation"></a>

Please find additional information about the CVE:

* [NIST CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
* [Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.md)

## Affected software <a href="#nexthinkandlog4j-affectedsoftware" id="nexthinkandlog4j-affectedsoftware"></a>

* Nexthink third-party library

## Disclaimer <a href="#nexthinkandlog4j-disclaimer" id="nexthinkandlog4j-disclaimer"></a>

The use of the software is subject to the terms and conditions of its applicable license\
agreement and then effective documentation. This information is provided “as-is” without\
a warranty of any kind.

## Revision <a href="#nexthinkandlog4j-revision" id="nexthinkandlog4j-revision"></a>

First release


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/security/security-bulletins/nexthink-and-log4j.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.