Maintenance releases available today: 14.7.2, 13.4.13, 12.6.22

Fellow developers,

Bloomreach is pleased to announce new maintenance releases for all currently maintained versions of Bloomreach Experience Manager: 14.7.2, 13.4.13, 12.6.22.

These releases focus on updates to address the recently-disclosed log4shell vulnerabilities. As usual, we recommend updating to the latest maintenance release for your major version ASAP. Detailed information about dependency version changes are now listed on the release notes for each version, so please check for any specific updates that might affect your projects.

Note that we’ve accelerated our usual schedule for the community release of 14.7, so the features of this minor release are also available to the community for the first time this week. Dependency changes for the 14.7.0 release are somewhat more extensive than for the 14.7.2 release specifically.

Release notes are linked from the usual place:

You can find detailed security-related content below. Note the list of disclosures linked at the bottom of the page.

Both the enterprise and community release artifacts are now available in the Bloomreach Maven repository. Community source code for these versions have also been published to GitHub today. Thanks for your contributions to our community!

Peter Centgraf
Manager, Bloomreach Content Pulsar Team


Do you know where I can find the updated jar files for 13.4.14 so that the log4j vulnerability issue is resolved?

We release the public artifacts to and the Enterprise-licensed artifacts to


Hi Jeroen,

I could not find the latest jar files in these links for v13.4.14, specifically I was looking for jar files like hippo-cms7-commons-2.2.0, hippo-repository-builtin-3.2.7, hippo-services-autoreload-2.2.0, jcl-over-slf4j-1.7.6, log4j-1.2.17, slf4j-log4j12-1.7.6, slf4j-api-1.7.6, hippo-services-2.2.1, hippo-repository-api-3.2.7. Can you help me these?
We just want to update our log4j version to v2.17

The mentioned artifacts are in the same places, e.g. at

Bumping your project to 13.4.14 should pull in all the necessary jars if you have set up your Maven correctly. Normally you don’t need to look for the dependencies specifically.

Also, for 13.4.14, the correct hippo-cms7-commons artifact is also version 13.4.14.jar so I’m thinking you have a dependency situation. Please look into your dependency tree to figure out where these are coming from.

Regards, Jeroen

Thanks Jeroen