As a valued Webdam customer we wanted to let you know that we are aware that a vulnerability was disclosed for Log4j, a Java-based logging utility found in a wide number of software products, from the Apache foundation. The vulnerability was published as CVE-2021-44228 and categorized as critical (CVSS 10.0). A large number of applications are affected by this globally. Since the Webdam application is developed with PHP the exposure to this vulnerability was very limited.
The Webdam engineering, product and information security teams have worked to apply the necessary patches to Webdam by upgrading the vulnerable log4j function. You do not need to take any action in relation to Webdam.
We have completed our log analysis and can confirm that there is NO evidence of a confirmed security incident, unauthorized disclosure, or access to personal data.
Bynder is also aware of a potential DDoS vulnerability in version 2.15 of Log4j. The new vulnerability was published as CVE-2021-45046. Although this vulnerability is not as severe as the vulnerability identified in older Log4j versions (CVSS 3,7), our teams are addressing this and are upgrading Log4j, on our platforms, to version 2.16.
Bynder is also aware of a potential vulnerability in version 2.16 of Log4j. The new vulnerability was published as CVE-2021-45105. This vulnerability is not as severe as the initial vulnerability identified in Log4j versions 2.x (CVSS 7.5). As such, this vulnerability has been identified as “major” and will be addressed by upgrading to version 2.17.
We recommend our customers check whether any other (non-Webdam) software you are using may be impacted by this issue and contact their respective vendors to obtain a status update.
Webdam will continue to provide updates as necessary.