On December 12, 2021 Apache Log4J 2.x reported that this widely used Java logging framework has been exposed to a serious security vulnerability. OpenRules Decision Manager like many other Java-based products uses Log4J. To mitigate this problem, we quickly switched to the recommended version 2.15.0 of log4j that was supposed to remove the above vulnerability. However, on December 14 the second vulnerability was discovered and Apache released the version 2.16.0 to address the problem.

Based on the seriousness of these events, we decided to create a new emergency release 8.4.3 of OpenRules Decision Manager that uses log4j version 2.16.0 (not 2.15.0). We’ve already built the first version 8.4.3 and it’s going through thorough testing. For urgent situations we made the evaluation version 8.4.3 available from here. Our team will continue to work hard to make sure that well-tested Release 8.4.3 will be available to all customers tomorrow morning. If you have any questions, please contact support@openrules.com.

AWS Lambda has recently extended the capability to track the current state of a function through its lifecycle. In this post AWS wrote: “We’re extending the General Update from September 30 2021 to December 5 2021. The End of Delayed Update date is now also changed to December 6 2021.” With this change, all users of AWS Lambda need to update their AWS SDK-based automation workflows. How would it affect OpenRules-based decision services deployed as AWS Lambdas?