Update: Cleo has implemented emergency patches for both Apache Log4j2 vulnerability (CVE-2021-44228) and Apache Log4j2 vulnerability (CVE-2021-45046). As such, no further action is required as CIC is not susceptible to these CVEs.
Dec 15: Cleo released an emergency update to CIC at 12:00pm CT (6:00pm GMT) to patch the Apache Log4j2 vulnerability (CVE-2021-45046).
Dec 14: A second Apache Log4j2 vulnerability (CVE-2021-45046) was discovered. Cleo engineers immediately started on an emergency patch to log4j 2.16.
Dec 13: Cleo's engineers began an immediate investigation and identified a component in CIC: Cloud Edition that was using log4j version 2. We actively built and released an emergency patch to log4j 2.15 closing the identified vulnerability.
Dec 10: On December 10th, 2021, Cleo was made aware of a log4j2 remote code execution (RCE) vulnerability (CVE-2021-44228). The CVE-2021-44228 vulnerability affects log4j versions 2.0-beta-9 through 2.14.1.
The following Cleo products utilize log4j v1 and are not subject to either CVE:
· Cleo LexiCom
· Cleo VLTrader
· Cleo Harmony
· Cleo VLProxy
· Cleo Clarify
· Cleo Streem
As such, no further action is required as the listed applications are not susceptible to this CVE.