Anyone know if Log4j is used by FileMaker in any capacity, whether in Pro, Go, Server or Cloud?

Over at Reddit, people are saying that Claris has claimed there are no vulnerabilities.

360-works has chimed in to say that none of their code uses Log4j.

It seems as though the 360-works product called Plastic is affected and that updates are available.

MonkeyBread has a statement here: MBS Blog - log4j

Claris posted an answer:


If you have any code written that uses log4j, Apache has already posted updated libraries (with corresponding new maven dependencies --> log4j-2.15.0) that fix this problem. If you have the 1.x version of log4j, you're OK for this current vulnerability, but that version has other problems.

Also, updating from 1.x -> 2.x requires a small code change in how you instantiate the LOGGER.

Log4j Version 1:
private static final Logger logger =

log4j Version 2:
private static final Logger logger = LogManager.getLogger(<class_name>.class.getName());

1 Like

This blog post offers a good recap: Fixing the Log4Shell (Log4j) exploit for FileMaker Server | by Anchor-Buoy Software | Dec, 2021 | Medium


New update from Claris over here: ClarisPKB


the statement by Claris could be a bit more clear

  • in aspect to log4j, FMS 18 is not affected, so for that reason no update to a 'current' version is needed (although, running a current version is always the preferred way)
  • running an older version as 18 (imho 16, 17) does not have the affected version of log4j, but that is no guarantee that it would be safe
  • there might be add-ons that installed log4j, so for example pdfBox for ubuntu seems to have that

Make sure it's log4j2 as log4j version 1 is not affected by this particular problem.

Claris posted a new, detailled documentation


Thank You so much, Claris!


Just for Clarification, they updated their original post. I'm glad they did so, otherwise people need a bunch of different links to get the full picture. They centralized everything in that one post, and it is a good thing.