Affects:
SPDRM versions 1.5.x,
SPDRM versions 1.10.0 to 1.11.4,
and SPDRM versions 25.0.0 to 25.1.0.

Dear Valued Clients.

We believe that the security and reliability of our products are of paramount importance, and we are consistently committed to ensuring them. As part of our continuous efforts to maintain system integrity, we had removed the Log4j1 library from SPDRM versions released after the discovery of the vulnerability. However, during a recent comprehensive security audit, we identified a re-emergence of the Log4j1 library in some packages due to an Apache Maven dependency. Affected SPDRM versions are: 1.10.0 to 1.11.4 and 25.0.0 to 25.1.0.

About Apache Log4j

Apache Log4j is a Java-based logging utility that is part of the Apache Logging Services. The Log4j vulnerability, named Log4Shell and known as CVE-2021-44228, is a critical vulnerability discovered in the Apache Log4j logging library.

Mitigation Strategy

For installations of SPDRM v1.10.0 to v1.11.4 and SPDRM v25.0.0 to 25.1.0:
We recommend that you download and execute the amendment script that is provided. This script removes all traces of the Log4j1 library and retains only the required Log4j2 bridge libraries, improving the security of your systems.

For installations of SPDRM series 1.5.x:
We recommend that you download and install the latest hot-fix version. This update addresses the Log4j1 library vulnerability in SPDRM, and improves the security of your systems.

Next Steps

The hot-fix version and amendment script are available to you through the same software distribution channel with your SPDRM distribution.

Our technical support team is at your disposal to assist you with any questions or concerns regarding this update.

We appreciate your prompt attention to this matter and your continuous trust in our company and products.