As a valued Bynder customer we wanted to let you know that we are aware that a vulnerability was disclosed for Log4j, a Java-based logging utility found in a wide number of software products, from the Apache foundation. The vulnerability was published as CVE-2021-44228 and categorized as critical (CVSS 10.0). A large number of applications are affected by this globally.
The Bynder engineering, product and information security teams have worked to apply the necessary patches to the Bynder DAM by upgrading the vulnerable log4j function. Y
You do not need to take any action in relation to your Bynder DAM.
We have completed our log analysis and can confirm that there is NO evidence of a confirmed security incident, unauthorized disclosure, or access to personal data.
Bynder is also aware of a potential DDoS vulnerability in version 2.15 of Log4j. The new vulnerability was published as CVE-2021-45046. Although this vulnerability is not as severe as the vulnerability identified in older Log4j versions (CVSS 3.7), our teams have upgraded Log4j, on our platforms, to version 2.16.
Bynder is also aware of a potential vulnerability in version 2.16 of Log4j. The new vulnerability was published as CVE-2021-45105. This vulnerability is not as severe as the initial vulnerability identified in Log4j versions 2.x (CVSS 7.5). As such, this vulnerability has been identified as “major” and will be addressed as per Bynder’s SLA.
We recommend our customers check whether any other (non-Bynder DAM) software you are using may be impacted by this issue and contact their respective vendors to obtain a status update.
Bynder has taken the necessary measures to address the vulnerabilities known in Log4j. Bynder is and will continue to closely monitor further developments and address them accordingly.
Bynder will continue to provide updates as necessary.