This section lists any critical issues for the current release that were known when this readme was published. For critical information found later, go to the Knowledge Center on the Empower website.

Application Platform contains the third party Log4j 2.11.2, which has known security vulnerabilities: CVE-2021-44228 and CVE-2021-45046.

The bundles.info file which lists the active bundles in the OSGi runtime includes a reference to version 2.13.3 of the third-party library Log4j.

While the reference to org.apache.logging.log4j.api_2.13.3.jar is removed from the bundles.info file, it still appears in <SoftwareAG_directory>/common/runtime/ /bundles/platform/eclipse/plugins. This poses no security risk because the log4j.api_2.13.3.jar file is no longer listed in the bundles.info file.

Access Control List (ACL) permissions change to "Anonymous" when loading a webMethods Integration Server instance which has the webMethods Application Platform WmAppPlat package.

The Application Platform WmAppPlat package has a dependency to Integration Server. When the WmAppPlat package loads in Integration Server, the execution ACL for all services under the pub namespace change to allow "Anonymous" access. The ACL permissions are restored when the WmAppPlat package is disabled.