In December 2021, some vulnerabilities in the popular open-source Java package Apache Log4j were publicly disclosed.

Applications that use the Log4j Java logging library might be vulnerable to attackers injecting malicious code into them. There are already fixes available for that library, and the current response is to upgrade to those new library versions.

For the latest information about whether these vulnerabilities affect software tools developed by Arm, please refer to the Arm Log4j security response Knowledge Base Article.

Please note that:

  • Code produced using development tools from Arm is not affected by these vulnerabilities.
  • Firmware, hypervisor code, kernel code, and drivers that Arm releases do not embed Java runtimes and are not written in Java programming languages. We believe that these system software components are therefore not affected by these vulnerabilities.
  • Arm can only comment on our own software products. For all other third-party software that is run on Arm-based devices, partners and users should contact the relevant third-party developers as necessary.