Following the disclosure of the Apache Log4j 2 (CVE-2021-44228) vulnerability, we would like to reassure all of our users
that none of the WinMan products or services use Apache Log4j.
What is Apache Log4j 2?
It’s referred to as “Log4Shell” and is a logging library widely used or directly embedded in open-source business system development software, affecting Java-based applications from versions 2.0 to 2.14.1.
Where is the vulnerability?
It’s in a Java library, which means it can affect many platforms including Windows, macOS and Linux. Advice, linked below, advises you to contact all vendors to ensure they are running the latest version.
How to safeguard against the vulnerability?
The issue reported is that the library is failing to validate incoming data.
So Microsoft has released two new versions 2.15 and 2.16, the first tackles the security issues and disables the Java library’s default exploitability
functionality, via JNDI message lookups. The second, version 2.16 disables all support by default and removes the message lookup entirely as an extra precaution.
If you have systems outside of WinMan ERP which may be affected, please have the provider of those services follow the steps outlined
in the official Microsoft blog here.