This is a notification that no action is required for a standard hosted instance of CommCare in response to the recently discovered CVE-2021-44228.
Dimagi's teams reviewed all elements of the CommCare hosted stack on Friday Dec 10 immediately after the exploit was announced. Our inventory confirmed that no elements of the CommCare Java codebases use the vulnerable component, and similarly no other distributed Java services deployed through CommCare Cloud were affected. There was no window in time in which the stack was vulnerable to the reported exploit, so no updates or patches are necessary.
We strongly recommend that administrators review any other software components outside of those managed by CommCare Cloud to ensure that they are patched or unaffected.