ECS systems are based on Centos (4-7) or Rocky Linux (8+). These operating systems are basically the same as Red Hat Enterprise Linux but with different logos and licensing. According to the following Red Hat web page, these operating systems are not affected by the log4j vulnerability. The page also has more information about the vulnerability. We are currently running the scanner on several systems as an additional check.


  • RHSB-2021-009 Log4Shell - Remote Code Execution - log4j

    ECS programs do not use Apache Log4j directly. We use the Apache Batik library. Part of the library uses Log4j but we do not use that function (PDF conversion).