For all SWG customers using any module of the QFM or P3rform system, please refer to the below statement regarding the Log4j vulnerability (CVE-2021-44228): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Following detailed and thorough investigations, SWG can confirm that QFM and P3rform are not impacted by the well-publicised Log4j vulnerability.

QFM uses log4net which is a port of log4j but does not include this vulnerability as it does not use the JNDI (The Java Naming and Directory Interface™), Java or its runtime.

QFM relies on Crystal Reports functionality for some of its reporting functions. SAP has confirmed that they do not use log4j in Crystal Reports, as per this publicised statement: https://answers.sap.com/questions/13545419/log4j-security-vulnerability-with-sap-crystal-repo.html

SWG’s Development Team have investigated other technologies and have confirmed with Microsoft that Xamarin (used in QFM App) is not impacted: https://docs.microsoft.com/en-us/answers/questions/661462/log4j-vulnerability-and-xamarinforms.html

Additionally, SWG’s Development Team have decompiled log4net, Crystal Reports and other 3rd party components used in QFM (web, mobile, workflow scheduler etc) and found no dependencies on log4j.

Furthermore, SWG’s vulnerability scanning provider, App-Check, released a Log4Shell specific scan which has received clean results when run on QFM.

Should you have any further concerns or questions, please speak with your Account Manager, or contact SWG’s Support Team, via the Client Portal.