Our IT company sent an email today with a notice for a vulnerability that affects a "significant amount of software". Apache has released a patch for it. Is this something used in Arena? If yes, how do we make sure it gets patched?
The email we got states:
Apache announced vulnerabilities related to a Java logging package log4j, which is used in a significant amount of software. The severity of this issue has been given a CRITICAL severity range with base score of 10. The details of the vulnerabilities can be found here: CVE-2021-44228. These vulnerabilities can be exploited by malicious actors.
Apache has released a patch and it should be updated immediately, however most of the impacted software will need to incorporate the fix into their patching process in order to address the vulnerability. If you are using Apache log4j locally, patch immediately.