Windward Studios is actively responding to the reported remote code execution vulnerabilities in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam) "CVE-2021-44228" and "CVE-2021-45046", affecting Apache Log4j software library versions 2.0-beta9 to 2.15.0. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.
We are investigating and taking action for and will continually publish information to help customers to mitigate this issue.
We have determined that Version 20.2.0 of the JAVA and JAVA RESTful engines and subsequent versions include the vulnerable log4j library version (2.8.0). Windward JAVA Engines previous to version 20.2.0 are NOT affected by this log4j vulnerability.
This vulnerability only affects the JAVA and JAVA RESTful engines. The .NET, .NET RESTful engines and the Designer (f.k.a. Autotag) are not affected by this vulnerability since this is JAVA specific dependency.
We will be providing a patch for version 21.5.0 later this week to address this issue by including the fixed version of log4j from the Apache foundation. The latest release from the Apache foundation was yesterday (12/13/2021).
If you are unable to implement the patch or want to mitigate the issue manually please follow the instructions on our support website found HERE.
UPDATE: Windward Studios has concluded its investigation into the recent Log4j 2 Java library vulnerabilities CVE-2021-44228 and CVE-2021-45046, affecting versions 20.2.0 and later of the JAVA and JAVA RESTful engines.
Version 21.5.2 has been patched to include the 2.16.0 version of Log4j, which has been fixed by the Apache foundation and is no longer vulnerable to this exploit. You can download the new version here.