Like many software companies around the world, SugarCRM recently became aware of a critical vulnerability in the Log4j software developed by Apache Software Foundation, which is generally used in web server applications. The zero-day attack exploiting Log4j software versions 2.0 to 2.14.1 is being referred to as CVE-2021-44228 or "Log4Shell." We quickly identified and remediated our affected systems by December 13, 2021. Based on our investigation, we have not detected that our web-based services were negatively affected by the exploit.
The SugarCRM Security Team continues to monitor the situation and we are ready to react appropriately to any intelligence about this vulnerability. In addition, measures designed to detect and prevent any attempted activity related to this vulnerability have been implemented by our organization. We will continue to keep our customers informed by way of email, if necessary.
On Premises customers should evaluate any technology stacks running SugarCRM products to ensure no vulnerabilities exist. Customers are encouraged to upgrade Elastic Search to at least the remediated version 7.16.1.
For further information about the vulnerability please visit these links, or search for CVE 2021-44228:
The SugarCRM Security Team
Manish kumar 9.x reached its end of support date in April 2021, so we do not run any kind of testing against that version. Like 10.0.x as I mentioned above, 9.x supported ES 5.4, 5.6, 6.2, 6.8, so we'll know more once ES 6.8.22 is tested. However, it is also strongly recommended to upgrade to a supported version of Sugar to ensure you're getting the most up-to-date fixes and functionality.