log4j Vulnerability Update
Incident Report for Guidewire
Guidewire has concluded tracking Log4J on the status page. Please open a Community case if you have additional questions, as Guidewire will continue to monitor updates accordingly.
Posted May 19, 2022 - 14:20 PDT
Guidewire continues to prioritize Log4J 2.17.1 updates for remaining products that are potentially impacted. We will update this page as appropriate to notify you of any pending changes.
Posted Feb 17, 2022 - 10:10 PST
After previously updating Guidewire's products to Log4j 2.16 to address potential RCE (Remote Code Execution) vulnerabilities, Guidewire has also completed delivery of updates to Log4j 2.17 for all Self-Managed as well as Cloud customers running on the "Classic Platform" and Guidewire Cloud Platform (GWCP). Guidewire is prioritizing of updates for Log4j 2.17.1 for any products potentially impacted, has recently delivered 2.17.1 updates for select GWCP cloud releases, and will provide updates for other products at the earliest possible opportunity.
Posted Jan 19, 2022 - 08:30 PST
Guidewire has been actively evaluating the impact of CVE-2021-44228 - Log4j RCE within our products and our Cloud environments. Information about this situation has been posted to the Guidewire Community (https://community.guidewire.com/s/article/Update-to-customers-who-have-questions-about-the-use-of-log4j-in-Guidewire-products).

Our current progress on this evolving situation is as follows:
-Our Cloud Operations teams have implemented controls and patches designed to address the vulnerability for Guidewire Cloud Production, Pre-Production, and “Uplifted” Non-Production environments.
-Guidewire has provided suggestions and recommendations for Guidewire Cloud customers on how to remedy the vulnerability for their Non-Production environments.
-Our Cloud Operations teams have implemented controls and patches designed to address the vulnerability for affected InsuranceNow customers.

Guidewire has also provided instructions for Guidewire Self-Managed (on-premise) customers, which can be viewed at https://community.guidewire.com/s/article/Critical-Security-Vulnerability-Detected-in-3rd-party-library-Log4j-that-impacts-InsuranceSuite-applications in Guidewire Community (login required).

Our teams are fully dedicated to this ongoing situation and are continuing to evaluate additional updates that may be necessary for Guidewire Cloud and Guidewire Self-Managed customers. Please check back in to Guidewire Status for additional updates. As always, we thank you for your patience and support in managing this evolving situation.
Posted Dec 13, 2021 - 14:48 PST