We did investigations on Friday, 10 and Wednesday, 15 December 2021, respectively.
We initially found 2 internal servers used in our CI/CD processes that had the affected libraries present. The servers were upgraded and confirmed the libraries weren’t being used anymore. During the following week we continued monitoring and ran checks to confirm we didn’t find any more usage of the library.
For more context, by and large WebMaxy doesn’t use the JVM stack outside of very specific tools (like the 2 servers mentioned above) or relies on providers like AWS to manage that stack for us (Opensearch / Kafka).
Your security and that of your end-users have not been affected in any way and no action is required from your side. We will continue to monitor the situation closely and update you promptly and transparently if anything changes.