Snow Commander - LOG4J2.XML library version used is exposed to VULNERABILITY ( CVE-2021-44228 )

Snow Commander 
  
Update: 22 Dec 2021
Due to an issue that may see some customers experiencing cloud connection problems, we suspended the release of Snow Commander 8.10.2.  We recommend that customers who did install Snow Commander 8.10.2 to upgrade to Snow Commander 8.10.3 should they experience cloud connection issues.

As stated below, we strongly recommend that customers using any version of Snow Commander and the VM Access Proxy upgrade to Snow Commander 8.10.3 and/or VM Access Proxy 3.7, which is targeted to be released by Snow Software on December 22, 2021.
//



Snow Software provided guidance regarding the Log4j vulnerability (CVE-2021-44228) on 15th December 2021 and 16th December 2021 based on recommendations from the Apache Software Foundation. This KB includes updated guidance (20 December 2021) based on a new Log4j vulnerability (CVE-2021-45105).      
 
Flaws in Log4j. a key Java-logging framework developed by the open-source Apache Software Foundation, are the most high-profile security vulnerabilities on the internet right now. The two Log4j vulnerabilities reported by cve.mitre.org are as follows:
 

• CVE-2021-44228 comes with a severity score of 10 out of 10.  Snow Software, with many other companies across the globe, became aware of this vulnerability on Friday, December 10, 2021. In response, on 20 December 2021, Snow Software released Commander 8.10.0/8.10.1 and VM Access Proxy 3.6 (versions that included Log4j 2.16.0 that was reported by Apache Software Foundation to address CVE-2021-44228).  .
   
• CVE-2021-45105 comes with a severity score of 7.5 out of 10. Regretfully, Snow Software became aware of this flaw after releasing Commander 8.10.0/8.10.1 and VM Access Proxy 3.6.  

• Affected versions: All versions of Snow Commander (through and including version 8.10.1)
• CVE record(s): CVE-2021-44228 and CVE-2021-45105
• Snow Recommendation
  • Customers should upgrade to Snow Commander 8.10.3 at the earliest opportunity. This version contains Log4j 2.17.0, which the Apache Software Foundation states will address CVE-2021-45105.