Security Update: CVE-2021-44228 Apache Log4j2

Update: Thursday, January 6, 2022 9:00AM (EST)

SmartBear has closely monitored and analyzed Apache guidance related to the Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities. Risk has been mitigated or remediated on SmartBear-managed cloud products.

New guidance was received to upgrade to Log4J version 2.17.1 on impacted systems, after additional potential exploits were found in the previously-recommended Log4J upgrade to 2.16.0 and 2.17.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits. The vulnerabilities identified in versions 2.16.0 and 2.17.0 require use of the JMS Appender or the JDBC Appender in addition to external control of Log4J configuration. Without these conditions, which do not exist on SmartBear products, it is not possible to trigger the exploit. As an overabundance of caution, SmartBear is continuing to upgrade products to Log4J 2.17.x as part of the normal release cycle.

If you are on an on-premise version or a customized version please view the table below for current status and reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

 

Product

Status

Fix Version

Note

AlertSite

Patched

AlertSite has updated Log4J to a safe version within their web platform and across the entire monitoring network. No action is required by AlertSite users.

AQTime Pro

Not Impacted

BitBar

Public Cloud

Patched

BitBar has updated Log4J to a safe version across their environment. No action is required by BitBar users.

Private Cloud

Patched

The BitBar team has updated all private cloud instances to use a safe version of the Log4J library. No action is required of BitBar private cloud customers.

Bugsnag

Cloud

Patched

Bugsnag does not directly use Log4J, but does rely on ElasticSearch, which uses Log4J in some capacity. We have applied the recommended mitigations per guidance from ElasticSearch and will update to a new, patched version when available.

On Prem

Patched

v3.2111.1 v4.2111.2

Bugsnag does not directly use Log4J, but does rely on ElasticSearch, which uses Log4J in some capacity. We have released a new version containing the recommended mitigations per guidance from ElasticSearch and will update to a new, patched version when available.

Capture for Jira

Cloud

Patched

Capture has updated Log4J to a safe version across their cloud environment. No action is required by Capture for Jira users.

Server

Patched

3.1.1 for Jira 8.x

2.9.22 for Jira 7.x

Capture for Jira has released an updated version to the Atlassian Marketplace with a safe Log4J dependency for Jira Server customers. Please contact SmartBear support if any assistance upgrading is required.

Collaborator

Not Impacted

CrossBrowserTesting

Patched

CrossBrowserTesting has updated Log4J to a safe version across their environment. No action is required by CrossBrowserTesting users.

CucumberStudio

Cloud

Patched

CucumberStudio does not directly use Log4J, but does rely on ElasticSearch, which uses Log4J in some capacity. We have applied the recommended mitigations per guidance from ElasticSearch and are in the process of updating to a newer version of ElasticSearch, which is not impacted by the issue.

Enterprise

Patched

3.6.3.0

CucumberStudio Enterprise does not directly use Log4J, but does rely on ElasticSearch, which uses Log4J in some capacity. We have updated the version of ElasticSearch used by CucumberStudio Enterprise per the recommendation from elastic. Customers should update their installation to the new version. Please contact SmartBear support if any assistance upgrading is required: (https://support.smartbear.com )

LoadComplete

Not Impacted

LoadNinja

Patched

LoadNinja does not directly use Log4J, but does rely on some internal dependencies which include it. While these components are not directly accessible by users, the team has applied a mitigation to prevent the Log4J vulnerability from being exploited. No action is required by LoadNinja users.

QAComplete

Not Impacted

ReadyAPI

Patched

3.10.2

A new version of ReadyAPI is available that updates Log4J to a safe version. Please update your installation to this latest version.

ReadyAPI Performance / LoadUI Pro

Not Impacted

ReadyAPI TestEngine

Patched

1.25.2

A new version of ReadyAPI TestEngine is available that updates Log4J to a safe version. Please update your installation to this latest version.

SoapUI Open Source

Patched

A patch is available for the open source SoapUI project as version 5.6.1. Please update your environment to this latest version.

SmartBear License Manager

Not Impacted

Swagger Open Source

Not Impacted

SwaggerHub

Cloud

Patched

SwaggerHub does not directly use Log4J, but does rely on ElasticSearch, which uses Log4J in some capacity. We have applied the recommended mitigations per guidance from ElasticSearch and will update to a new, patched version when available.

On Prem

Patched

1.29.1

SwaggerHub On-Prem does not directly use Log4J, but does rely on ElasticSearch and other dependencies, which use Log4J in some capacity. We have provided a patch script to update the underlying Log4J libraries for existing installations of SwaggerHub On-Prem. Additionally, version 1.29.1 is available as a fully patched version for new installations. All Marketplace images of SwaggerHub are patched.

TestComplete / TestExecute / TestLeft

Not Impacted

VirtServer

Patched

3.7.3

A new version of VirtServer is available that updates Log4J to a safe version. Please update your installation to this latest version.

Zephyr Enterprise

Patched

7.7

Self-hosted customers, please contact SmartBear support for patch instructions if you are still requiring an upgrade. (https://support.smartbear.com) A new version of Zephyr Enterprise with the patched libraries was released in early January.

Zephyr Scale

Cloud

Not Impacted

Server

Patched

8.7.4 for Jira 7.x+

Zephyr Scale for Server/DC environments uses the Log4j version provided by Atlassian. According to Atlassian, their version of Log4j is not affected bu the vulnerability CVE-2021-44228. We recommend that you please monitor the notice for more information from Atlassian and follow any updates. However, in this release, we include a fix to mitigate attacks even if Atlassian’s Log4j version is not vulnerable. Please contact SmartBear support if any assistance upgrading is required. (https://support.smartbear.com)

Zephyr Squad

Cloud

Patched

Zephyr Squad has released an updated version with a safe Log4J dependency across their cloud environment. No action is required by Zephyr Squad users.

Server

Patched

6.2.6 for Jira 8.x

4.8.5 for Jira 7.x

Zephyr Squad has released an updated version to the Atlassian Marketplace with a safe Log4J dependency for Jira Server customers. Please contact SmartBear support if any assistance upgrading is required.

 

Update: Tuesday, December 28, 2021 2:00PM (EST)

SmartBear has closely monitored and analyzed Apache guidance related to the Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities. Risk has been mitigated or remediated on SmartBear-managed cloud products.

New guidance was received to upgrade to Log4J version 2.17.1 on impacted systems, after additional potential exploits were found in the previously-recommended Log4J upgrade to 2.16.0 and 2.17.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits. The vulnerabilities identified in versions 2.16.0 and 2.17.0 require use of the JMS Appender or the JDBC Appender in addition to external control of Log4J configuration. Without these conditions, which do not exist on SmartBear products, it is not possible to trigger the exploit.

As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.1 as part of their next releases in the coming weeks.

If you are on an on-premise version or a customized version please view the table below for current status and reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

Update: Wednesday, December 22, 2021 2:00PM (EST)

SmartBear has closely monitored and analyzed Apache guidance related to the Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities. Risk has been mitigated or remediated on SmartBear-managed cloud products.

New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits. Please note the difference between 2.17 and 2.16 is that a potential DoS issue exists only if a very special context lookup is used in the logging statement that incorporates data from a user action. Without these conditions, which do not exist on SmartBear products, it's not possible to trigger the exploit.

As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next releases in the coming weeks.

SmartBear has closely monitored and analyzed Apache guidance related to the Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities. Risk has been mitigated or remediated on SmartBear-managed cloud products.

If you are on an on-premise version or a customized version please view the table below for current status and reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

 

Update: Tuesday, December 21, 2021 12:00PM (EST)

SmartBear has closely monitored and analyzed Apache guidance related to the Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities. Risk has been mitigated or remediated on SmartBear-managed cloud products.

New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits. Please note the difference between 2.17 and 2.16 is that a potential DoS issue exists only if a very special context lookup is used in the logging statement that incorporates data from a user action. Without these conditions, which do not exist on SmartBear products, it's not possible to trigger the exploit.

As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next releases in the coming weeks.

SmartBear has closely monitored and analyzed Apache guidance related to the Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities. Risk has been mitigated or remediated on SmartBear-managed cloud products.

If you are on an on-premise version or a customized version please view the table below for current status and reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

 

Update: Monday, December 20, 2021 12:00PM (EST)

New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits.

SmartBear maintains that the Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities, have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version please view the table below for current status and reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next release.

 

Update: Sunday, December 19, 2021 10:00AM (EST)

New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits.

SmartBear maintains that the Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities, have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version please view the table below for current status and reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next release.

 

Update: Friday, December 17, 2021 3:00 PM (EST)

The Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities - CVE-2021-44228 and CVE-2021-45046 have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version please view the table for current status. Otherwise please reach out to our support team at https://support.smartbear.com for further information.

  

Update: Wednesday, December 15, 2021 5:30 PM (EST)

The Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities - CVE-2021-44228 and CVE-2021-45046 have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version, please reach out to our support team at https://support.smartbear.com for further information.

Apache recently announced that the fix to address CVE-2021-44228 (upgrading Log4j to at least version 2.15.0) is not complete if non-default or custom configurations are used. SmartBear products remain unaffected with this new information. SmartBear does not use the non-default configurations and the residual risk is low in using the 2.15.0 version of Log4j.

Many SmartBear products are already using Log4j 2.16.0. Out of an abundance of caution, SmartBear products not already using 2.16 will update to this version during the next available release

 

Update: Monday, December 13, 2021 1:00 PM (EST)

SmartBear is aware of the recently disclosed security issue affecting the open-source Apache “Log4j2” utility (CVE-2021-44228). The Security team is actively working to mitigate our exposure and continue to provide enhanced monitoring of our platforms to safeguard information. Potentially affected resources have been identified and our Information Technology and Information Security teams are working closely together to remediate any potential exposure in our platforms and environment. We will keep you updated on patches as they become available for on-prem instances of our products. Please check back for further updates.