On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
It is CVE-2021-44228 and affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1. It is not present in version 1 of log4j and is patched in version 2.15.0.
This library is used in some RWS products:
If your products and services are hosted by RWS then mitigation steps will already have been taken by our Cloud Operations team.
However, if you host any of the products listed below, please make sure to take the mitigation steps listed in the respective articles for your product(s) in the resolution section below.
The following products were affected. Please click on the respective article below for your product(s):