Camunda — Security Notices

Notice 43

Tue, 07 Apr 2026 00:00:00 GMT

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP headers will not be written. This is related to CVE-2026-22732.

How to determine if the installation is affected

You are using:

Management Identity 8.7.4 - 8.7.10, 8.7.12 - 8.7.16, 8.8.0 - 8.8.2, or 8.8.5 - 8.8.9
Zeebe 8.7.21 - 8.7.25
Tasklist 8.7.21 - 8.7.25
Operate 8.7.22 - 8.7.25
Optimize 8.7.14 - 8.7.18 or 8.8.2 - 8.8.7
Web Modeler Self-Managed ≤ 8.6.26, ≤ 8.7.18, or ≤ 8.8.11

Solution

Camunda has provided the following releases which contain the fix:

Management Identity 8.7.17, 8.8.10
Zeebe 8.7.26
Tasklist 8.7.26
Operate 8.7.26
Optimize 8.7.19, 8.8.8
Web Modeler Self-Managed 8.6.27, 8.7.19, 8.8.12

The fix was deployed to Web Modeler SaaS on March 23, 2026, 17:26 CET.

Notice 42

Mon, 09 Mar 2026 00:00:00 GMT

The application was vulnerable to CVE-2026-24734, which allowed an attacker to bypass revocation checks of client SSL certificates if a certain server configuration was used.

How to determine if the installation is affected

You are using:

Management Identity ≤ 8.8.7, ≤ 8.7.14, or ≤ 8.6.27

Solution

Camunda has provided the following releases which contain the fix:

Management Identity 8.8.8, 8.7.15, 8.6.28

Notice 41

Mon, 09 Mar 2026 00:00:00 GMT

The version of fast-xml-parser used by Camunda Web Modeler was affected by CVE-2026-26278, a vulnerability which could be exploited as a vector for denial of service attacks by forcing the parser to do an unlimited amount of entity expansions.

How to determine if the installation is affected

You are using:

Web Modeler Self-Managed ≤ 8.8.8, ≤ 8.7.16, or ≤ 8.6.25

Solution

Camunda has provided the following releases that contain the fix:

Web Modeler Self-Managed 8.8.9, 8.7.17, 8.6.26

This issue does not affect Web Modeler SaaS.

Notice 40

Mon, 23 Feb 2026 00:00:00 GMT

The version of Tomcat used by the Diagram Converter Webapp was affected by:

How to determine if the installation is affected

You are using:

C7 to C8 Migration Tooling 0.2.0 AND
the Diagram Converter Webapp

Solution

Camunda has released the C7 to C8 Migration Tooling 0.2.1, which includes the fix.

Notice 39

Tue, 10 Feb 2026 00:00:00 GMT

The version of fast-xml-parser used by Camunda Web Modeler was affected by CVE-2026-25128, a RangeError vulnerability that could crash any application that processes untrusted XML input.

How to determine if the installation is affected

You are using:

Web Modeler Self-Managed ≤ 8.8.6, ≤ 8.7.15, or ≤ 8.6.24

Solution

Camunda has provided the following releases that contain the fix:

Web Modeler Self-Managed 8.8.7, 8.7.16, 8.6.25

The fix was deployed to Web Modeler SaaS on February 2, 2026, 15:15 CET.

Notice 38

Thu, 08 Jan 2026 00:00:00 GMT

The version of qs used by Camunda Web Modeler was affected by CVE-2025-15284, an improper input validation vulnerability that allows HTTP DoS.

How to determine if the installation is affected

You are using:

Web Modeler Self-Managed ≤ 8.8.4, ≤ 8.7.14, or ≤ 8.6.23

Solution

Camunda has provided the following releases that contain the fix:

Web Modeler Self-Managed 8.8.5, 8.7.15, 8.6.24

The fix was deployed to Web Modeler SaaS on January 7, 2026, 13:45 CET.

Notice 37

Fri, 12 Dec 2025 00:00:00 GMT

The application is vulnerable to CVE-2025-12183, which allows remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.

How to determine if the installation is affected

You are using:

Tasklist/Zeebe/Operate ≤ 8.8.6, ≤ 8.7.20, or ≤ 8.6.32

Solution

Camunda has provided the following releases which contain the fix:

Tasklist/Zeebe/Operate 8.8.7, 8.7.21, 8.6.33

Notice 36

Wed, 03 Dec 2025 00:00:00 GMT

The application is vulnerable to CVE-2025-53066, which allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.

How to determine if the installation is affected

You are using:

Management Identity ≤ 8.8.2, ≤ 8.7.10, or ≤ 8.6.22

Solution

Camunda has provided the following releases which contain the fix:

Management Identity 8.8.3, 8.7.11, 8.6.23

Notice 35

Wed, 26 Nov 2025 00:00:00 GMT

The embedded JDBC driver for Amazon Aurora PostgreSQL (software.amazon.jdbc:aws-advanced-jdbc-wrapper) was affected by CVE-2025-12967, which may allow for privilege escalation to the rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

How to determine if the installation is affected

You are using:

Web Modeler Self-Managed ≤ 8.8.2, ≤ 8.7.12, or ≤ 8.6.21 with Amazon Aurora PostgreSQL
Management Identity ≤ 8.8.1, ≤ 8.7.9, or ≤ 8.6.21 with Amazon Aurora PostgreSQL

Solution

Camunda has provided the following releases which contain the fix:

Web Modeler Self-Managed 8.8.3, 8.7.13, 8.6.22
Management Identity 8.8.2, 8.7.10, 8.6.22

Notice 34

Tue, 11 Nov 2025 00:00:00 GMT

The version of the MSSQL JDBC driver com.microsoft.sqlserver:mssql-jdbc used by Web Modeler was affected by CVE-2025-59250, which allows improper input validation that could enable an attacker to perform spoofing over a network.

How to determine if the installation is affected

You are using Web Modeler Self-Managed version <= 8.8.1 and Microsoft SQL Server as database vendor.

Solution

Camunda has provided the following release which contains the fix:

Web Modeler Self-Managed 8.8.2

Notice 33

Wed, 22 Oct 2025 00:00:00 GMT

A bug in signal broadcast command processing allowed unauthorized users to trigger signal start events or signal intermediate catch events in certain process definitions without the required create or update permissions.

This did not allow users to access process definitions of other tenants, or leak any information about these process instances back to the unauthorized users.

How to determine if the installation is affected

You are using:

Orchestration Cluster 8.8.0

Solution

Camunda has provided the following release which contains the fix:

Orchestration Cluster 8.8.1

Notice 32

Tue, 21 Oct 2025 00:00:00 GMT

The embedded Apache Tomcat was affected by CVE-2025-48989 which made Tomcat vulnerable to the MadeYouReset attack.

How to determine if the installation is affected

You are using:

Identity 8.7.0 - 8.7.4 or 8.7.6 - 8.7.7

Solution

Camunda has provided the following release which contains the fix:

Identity 8.7.8

Notice 31

Thu, 16 Oct 2025 00:00:00 GMT

The embedded Undertow web server was affected by CVE-2025-9784, a flaw where malformed client requests can trigger server-side stream resets without incrementing abuse counters.

This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts and could be exploited to cause a denial of service (DoS).

How to determine if the installation is affected

You are using:

Web Modeler Self-Managed 8.8.0, ≤ 8.7.10, or ≤ 8.6.19

Solution

Camunda has provided the following releases which contain the fix:

Web Modeler Self-Managed 8.8.1, 8.7.11, 8.6.20

The fix was deployed to Web Modeler SaaS on October 14, 2025, 14:26 CET.

Notice 30

Tue, 07 Oct 2025 00:00:00 GMT

The embedded Netty was affected by CVE-2025-58056, an HTTP request smuggling vulnerability in Netty. Incorrect parsing of chunked transfer encoding could allow attackers to craft malicious requests that are interpreted inconsistently by proxies and Netty.

How to determine if the installation is affected

You are using:

Tasklist 8.7.0 - 8.7.12 or 8.5.0 - 8.5.22
Zeebe 8.7.0 - 8.7.12 or 8.5.0 - 8.5.24
Operate 8.7.0 - 8.7.12 or 8.5.0 - 8.5.20
Optimize 8.7.0 - 8.7.9 or 8.6.0 - 8.6.16
Identity 8.7.0 - 8.7.6 or 8.6.0 - 8.6.19 or 8.5.0 - 8.5.21

Solution

Camunda has provided the following releases which contain the fix:

Tasklist 8.7.13, 8.5.23
Zeebe 8.7.13, 8.5.25
Operate 8.7.13, 8.5.21
Optimize 8.7.10, 8.6.17
Identity 8.7.7, 8.6.20, 8.5.22

Notice 29

Fri, 03 Oct 2025 00:00:00 GMT

Zeebe may be affected by CVE-2024-41996, which allows remote attackers to trigger expensive server-side DHE modular-exponentiation calculations, potentially causing asymmetric resource consumption and DoS attacks.

How to determine if the installation is affected

You are potentially affected if you have configured Zeebe to accept DHE or ECDHE cipher suites through the server.ssl.ciphers property or SERVER_SSL_CIPHERS environment variable.

Default Zeebe installations are not affected.

Solution

Configure the server.ssl.ciphers property or SERVER_SSL_CIPHERS environment variable to exclude DHE and ECDHE cipher suites. For example:

server.ssl.ciphers=TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

There is no known mitigation other than disabling the use of DHE and ECDHE cipher suites.

Notice 28

Tue, 09 Sep 2025 00:00:00 GMT

Optimize was affected by CVE-2025-5115, which allows a remote attacker to repeatedly send malformed HTTP/2 frames that exhaust a Jetty server’s CPU and memory, causing a denial-of-service.

How to determine if the installation is affected

You are using:

Optimize 8.7.0 - 8.7.8 or 8.6.0 - 8.6.15

Solution

Camunda has provided the following releases which contain the fix:

Optimize 8.7.9, 8.6.16

Notice 27

Wed, 27 Aug 2025 00:00:00 GMT

Optimize's email functionality was affected by CVE-2025-7962, which allowed for SMTP injection by providing forged email recipient addresses that could lead to malicious content being sent to arbitrary recipients.

How to determine if the installation is affected

You are using:

Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14

Solution

Camunda has provided the following releases which contain the fix:

Optimize 8.7.8, 8.6.15

Notice 26

Wed, 27 Aug 2025 00:00:00 GMT

Optimize was affected by CVE-2025-53864 which allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion.

How to determine if the installation is affected

You are using:

Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14

Solution

Camunda has provided the following releases which contain the fix:

Optimize 8.7.8, 8.6.15

Notice 25

Wed, 27 Aug 2025 00:00:00 GMT

The embedded Apache Tomcat was affected by CVE-2025-48989 which made Tomcat vulnerable to the MadeYouReset attack.

How to determine if the installation is affected

You are using:

Tasklist 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.20
Zeebe 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24
Operate 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.18
Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14

Solution

Camunda has provided the following releases which contain the fix:

Tasklist 8.7.11, 8.6.25, 8.5.21
Zeebe 8.7.11, 8.6.25
Operate 8.7.11, 8.6.25, 8.5.19
Optimize 8.7.8, 8.6.15

Notice 24

Wed, 27 Aug 2025 00:00:00 GMT

The embedded Netty was affected by CVE-2025-55163 which allows malformed HTTP/2 control frames usage that results in resource exhaustion and distributed denial of service.

How to determine if the installation is affected

You are using:

Tasklist 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.20
Zeebe 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.22
Operate 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.18
Identity 8.7.0 - 8.7.5 or 8.6.0 - 8.6.18 or 8.5.0 - 8.5.19
Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14

Solution

Camunda has provided the following releases which contain the fix:

Tasklist 8.7.11, 8.6.25, 8.5.21
Zeebe 8.7.11, 8.6.25, 8.5.23
Operate 8.7.11, 8.6.25, 8.5.19
Identity 8.7.6, 8.6.19, 8.5.20
Optimize 8.7.8, 8.6.15

Notice 23

Thu, 31 Jul 2025 00:00:00 GMT

The embedded Spring Boot Tomcat was affected by CVE-2025-53506 which allowed for uncontrolled resource consumption that could be used to exhaust system resources in a potential DoS (denial of service) attack.

How to determine if the installation is affected

You are using:

Tasklist 8.7.0 - 8.7.8 or 8.6.0 - 8.6.22 or 8.5.0 - 8.5.18
Zeebe 8.7.0 - 8.7.8 or 8.6.0 - 8.6.22
Operate 8.7.0 - 8.7.8 or 8.6.0 - 8.6.22 or 8.5.0 - 8.5.16
Identity 8.7.0 - 8.7.4 or 8.6.0 - 8.6.17 or 8.5.0 - 8.5.18
Optimize 8.7.0 - 8.7.6 or 8.6.0 - 8.6.12

Solution

Camunda has provided the following releases which contain the fix:

Tasklist 8.7.9, 8.6.23, 8.5.19
Zeebe 8.7.9, 8.6.23
Operate 8.7.9, 8.6.23, 8.5.17
Identity 8.7.5, 8.6.18, 8.5.19
Optimize 8.7.7, 8.6.13

Notice 22

Thu, 31 Jul 2025 00:00:00 GMT

Part of our RESTful API that supported multipart file uploads was affected by CVE-2025-52520, which could lead to potential DoS (denial of service) attacks.

How to determine if the installation is affected

You are using:

Tasklist 8.6.0 - 8.6.22 or 8.7.0 - 8.7.8
Zeebe 8.6.0 - 8.6.22 or 8.7.0 - 8.7.8
Operate 8.6.0 - 8.6.22 or 8.7.0 - 8.7.8

Solution

Camunda has provided the following releases which contain the fix:

Tasklist 8.6.22
Tasklist 8.7.9
Zeebe 8.6.23
Zeebe 8.7.9
Operate 8.6.23
Operate 8.7.9

Notice 21

Wed, 18 Jun 2025 00:00:00 GMT

The version of org.postgresql:postgresql used by Camunda Web Modeler Self-Managed was affected by CVE-2025-49146 potentially allowing a man-in-the-middle attacker to intercept connections when the PostgreSQL JDBC driver was configured with channel binding set to required.

How to determine if the installation is affected

You are using Camunda Web Modeler Self-Managed version 8.6.0 - 8.6.12, or 8.7.0 - 8.7.3.

Solution

Camunda has provided the following releases which contain the fix:

Camunda Web Modeler Self-Managed 8.6.12
Camunda Web Modeler Self-Managed 8.7.3

Notice 20

Tue, 17 Jun 2025 00:00:00 GMT

Camunda Optimize was affected by a vulnerability that allowed an attacker to gain improper access to Optimize data by using a modified JWT (JSON Web Token).

How to determine if the installation is affected

You are using Camunda Optimize ≤ 8.6.9 or ≤ 8.7.2.

Solution

Camunda has provided the following release which contains a fix:

Notice 19

Wed, 21 May 2025 00:00:00 GMT

The version of nodejs used by Camunda Web Modeler was affected by CVE-2025-23166 potentially allowing an adversary to remotely crash the Node.js runtime.

How to determine if the installation is affected

You are using Camunda Web Modeler Self-Managed version ≤ 8.4.17, ≤ 8.5.18, ≤ 8.6.10, or ≤ 8.7.1.

Solution

Camunda has provided the following releases which contain the fix:

Camunda Web Modeler Self-Managed 8.4.18
Camunda Web Modeler Self-Managed 8.5.19
Camunda Web Modeler Self-Managed 8.6.11
Camunda Web Modeler Self-Managed 8.7.2

The fix was deployed to Web Modeler SaaS on May 19, 2025, 15:10 CET.

Notice 18

Tue, 08 Apr 2025 00:00:00 GMT

Camunda Optimize was affected by a vulnerability that allowed an attacker to modify a JWT (JSON Web Token) so that they would be given improper access to Optimize.

How to determine if the installation is affected

You are using Camunda Optimize ≤ 8.4.15, ≤ 8.5.12, ≤ 8.6.6, ≤ 8.7.0, ≤ 3.11.20, ≤ 3.12.15, ≤ 3.13.12, ≤ 3.14.3, ≤ 3.15.1.

Solution

Camunda has provided the following release which contains a fix:

Camunda Optimize 8.4.16, 8.5.13, 8.6.7, 8.7.0, 3.12.16, 3.13.13, 3.14.4, 3.15.2

Notice 17

Tue, 08 Apr 2025 00:00:00 GMT

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

As Zeebe makes extensive use of Protobuf, this could lead to denial-of-service (DoS) issues on the server side.
This issue allows an attacker to send specific payloads that will always result in StackOverflowException. This could lead to gateway performance issues and affect system availability.
Although the gateway will not crash, it will spend more time working on these requests. An attacker could use this opportunity to slow it down and make it unusable by sending a large number of requests within a short time frame.

No data is leaked, lost, or corrupted. This issue only affects application availability.

Learn more about this CVE at the GitHub Advisory Database.

How to determine if the installation is affected

You are using Camunda Zeebe 8.6.11.

Solution

Camunda has provided the following release which contains a fix:

Camunda Zeebe 8.6.13

Notice 16

Fri, 14 Mar 2025 00:00:00 GMT

Some Camunda Zeebe versions were affected by a vulnerability that allowed a malicious attacker to craft network packets that could crash the gateway.

How to determine if the installation is affected

You are using Camunda Zeebe 8.6.0 - 8.6.11

Solution

Camunda has provided the following release which contains a fix:

Camunda Zeebe 8.6.12

Notice 15

Tue, 11 Mar 2025 00:00:00 GMT

Some Camunda Optimize versions were affected by a vulnerability that allowed a malicious attacker to craft Camunda URLs that could execute JavaScript code.

How to determine if the installation is affected

You are using Camunda Optimize ≤ 8.6.5.

Solution

Camunda has provided the following release which contains a fix:

Camunda Optimize 8.6.6

Notice 14

Tue, 11 Mar 2025 00:00:00 GMT

The version of koa used by Camunda Web Modeler was affected by the following vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2025-25200

How to determine if the installation is affected

You are using Camunda Web Modeler Self-Managed version ≤ 8.3.16, ≤ 8.4.14, ≤ 8.5.15, or ≤ 8.6.7.

Solution

Camunda has provided the following releases which contain the fix:

Camunda Web Modeler Self-Managed 8.3.17
Camunda Web Modeler Self-Managed 8.4.15
Camunda Web Modeler Self-Managed 8.5.16
Camunda Web Modeler Self-Managed 8.6.8

The fix was deployed to Web Modeler SaaS on February 14, 2025, 08:50 CET.

Notice 13

Thu, 18 Jul 2024 00:00:00 GMT

The version of Apache Tomcat used by Camunda Identity was affected by the following vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2024-34750

How to determine if the installation is affected

You are using Camunda Identity version 8.5.3 or previous.

Solution

Camunda has provided the following release which contains a fix:

Camunda Identity 8.5.4

Notice 12

Tue, 03 Oct 2023 00:00:00 GMT

The version of libwebp shipped with Camunda Desktop Modeler was affected by the following vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

How to determine if the installation is affected

You are using Camunda Desktop Modeler version 5.15.1 or previous.

Solution

Camunda has provided the following release which contains a fix:

Camunda Desktop Modeler 5.15.2

Notice 11

Mon, 17 Apr 2023 00:00:00 GMT

The Tasklist REST API functionality of Tasklist 8.2.0 and 8.2.1 allows unauthenticated access to the following methods/URLs:

GET /v1/tasks/{taskId}
POST /v1/tasks/search
POST /v1/tasks/{taskId}/variables/search
POST /v1/forms/{formId}
POST /v1/variables/{variableId}

Find more information about the methods in our Tasklist REST API documentation.

Therefore, if you use Tasklist 8.2.0 or 8.2.1, and if you have sensible data stored in process variables (accessed by user tasks), this data could have been accessed by users knowing the endpoint of the Tasklist instance without authentication.

How to determine if the installation is affected

You are using Tasklist version 8.2.0 or 8.2.1.

Solution

Camunda has provided the following releases which contain a fix

Tasklist 8.2.2

Notice 10

Thu, 10 Nov 2022 00:00:00 GMT

The Tasklist Docker image contain an OpenSSL version 3.0.2 for which the following CVEs have been published:

At this point, Camunda is not aware of any specific attack vector in Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are Tasklist version (8.0.3 ≥ version ≤ 8.0.7) or ≤ 8.1.2

Solution

Camunda has provided the following releases which contain a fix

Notice 9

Mon, 11 Apr 2022 00:00:00 GMT

Zeebe, Operate, Tasklist and IAM are using the Spring framework for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2022-22965

At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate, Tasklist or IAM allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using Zeebe, Operate or Tasklist version ≤ 1.2.11 or ≤ 1.3.6

Solution

Camunda has provided the following releases which contain a fix

Notice 8

Fri, 31 Dec 2021 00:00:00 GMT

Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44832. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using Zeebe, Operate or Tasklist version ≤ 1.2.8 or ≤ 1.1.9

Solution

Camunda has provided the following releases which contain a fix

Notice 7

Fri, 31 Dec 2021 00:00:00 GMT

IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44832. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability. Still, Camunda recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using IAM version ≤ 1.2.8

Solution

Camunda has provided the following releases which contain a fix

IAM 1.2.9

Notice 6

Wed, 22 Dec 2021 00:00:00 GMT

Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45105. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using Zeebe, Operate or Tasklist version ≤ 1.2.7 or ≤ 1.1.8

Solution

Camunda has provided the following releases which contain a fix

Notice 5

Wed, 22 Dec 2021 00:00:00 GMT

IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45105. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability. Still, Camunda recommends applying fixes as mentioned in the Solution section below.

IAM bundles logback libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-42550. At this point, Camunda is not aware of any specific attack vector in IAM allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using IAM version ≤ 1.2.7

Solution

Camunda has provided the following releases which contain a fix

IAM 1.2.8

Notice 4

Fri, 17 Dec 2021 00:00:00 GMT

Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45046. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using Zeebe, Operate or Tasklist version ≤ 1.2.6 or ≤ 1.1.7

Solution

Camunda has provided the following releases which contain a fix

Notice 3

Fri, 17 Dec 2021 00:00:00 GMT

IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45046. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability. Still, Camunda recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using IAM version ≤ 1.2.6

Solution

Camunda has provided the following releases which contain a fix

IAM 1.2.7

Notice 2

Tue, 14 Dec 2021 00:00:00 GMT

Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44228. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using Zeebe, Operate or Tasklist version ≤ 1.2.5 or ≤ 1.1.6

Solution

Camunda has provided the following releases which contain a fix

Apply the patches mentioned above or set the JVM option -Dlog4j2.formatMsgNoLookups=true

Notice 1

Tue, 14 Dec 2021 00:00:00 GMT

IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44228. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability.

Still, Camunda recommends applying fixes as mentioned in the Solution section below.

How to determine if the installation is affected

You are using IAM version ≤ 1.2.5

Solution

Camunda has provided the following releases which contain a fix

IAM 1.2.6