A vulnerability in the Apache Log4j was identified in the articles posted: CVE-2021-44228 and CVE-2021-45046

NXP has performed an analysis of this vulnerability with regard to the S32 Design Studio. Our conclusion is that the S32 Design Studio (all versions) is NOT IMPACTED. Although the Log4j is used by S32 Design Studio, the version used is 1.x and the vulnerability was introduced in version 2.12 with a combination of Java versions 9/10/11 where LDAP policy is enabled by default (CVE-2021-45046). The S32Design Studio installation environment is independent and based on Java 8 version, which is common for all tools running under S32Design Studio IDE. In addition, the S32 Design Studio does not use JMSAppender, so it is not affected by the identified log4j 1.x usage concern (CVE-2021-44228). When we determine an upgrade of the Log4j and/or Java version is required for a future release of S32 Design Studio, then this vulnerability will be addressed.

Please see the attached presentation for details on other tools owned by NXP Automotive Processing Software Tools.