On Thursday, December 9th), a zero-day exploit in the popular Apache Foundation Java logging library Log4j (v2) was discovered that results in Remote Code Execution (RCE) by logging a certain string. In light of that disclosure, catalogued as CVE-2021-44228.
Awingu makes use of Java, including Log4j. Our teams have been working on and investigating the vulnerability since it was identified last week.
Here is the status:
- A maintenance release (5.2.4) will be issued in the 2nd half of this week which will fix the possible vulnerability. We recommend all to upgrade to this last version once available. In the meantime we recommend our customers and partners to already upgrade their platform to the latest version (Awingu 5.2.3).
- Our experts are investigating the risk and exploit for Awingu specifically. At this point, the risk and impact is assessed to be low.
Customers and partners can find more information about this via the Awingu support portal (available via https://my.awingu.com).
Update December 15th, 2021: the Awingu 5.2.4 maintenance release is now live. We recommend upgrading as soon as possible. Click here if you’re not sure how to upgrade.