Update December 22: Upon further investigation, while OneSpot deploys the at-risk library, it employs another library for logging, thereby avoiding the security vulnerability. Therefore, the product team has determined there is no need to implement a patch.
No action is needed from your side with respect to a OneSpot patch.
The original announcement remains below.
A new 0-day vulnerability, formally known as CVE-2021-44228, was published on the NIST National Vulnerability Database on Friday and was followed by this NIST entry on December 14th. The vulnerability is found in the Log4j Java library.
Log4j is a popular open-source logging library made by the Apache Software Foundation. The security vulnerability found in Log4j allows hackers to execute remote commands on a target system. The severity of the vulnerability is classified as “Critical” by NIST.
Our investigations show that OneSpot makes use of a vulnerable version of Log4j. IgniteTech is currently working on an update to eliminate the vulnerability.
Within the next few days, IgniteTech is planning to release this patched version of OneSpot that leverages Log4j version 2.16. The 2.16 version of Log4j has no known/published security vulnerabilities at this time. We will update this page if this changes for any reason or if any action is required by you.
This page will be updated when the patch has been made.