Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228
Note — We will update this announcement with new details as they emerge from our analysis. Please check back periodically.
Important: Security Vulnerability CVE-2021-44228
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.
Summary
Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.
Details
One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) attack.
Tx3 Product Impact
We have verified that the vulnerability does not exist in our products:
- VERA for ALM
- VERA DevOps
- VERA Electronic Signatures for Jira (Cloud, Data Center & Cloud)
Tx3 Helios (SaaS) Impact
We performed an impact analysis on our hosted products:
Product | Impacted Version(s) | Fix | Remediation | Details |
MicroFocus Application Lifecycle Management (ALM)
| 15.5.0 and later | Manually replace:
- log4j-1.2-api.jar
- log4j-api.jar
- log4j-core.jar
- log4j-slf4j-impl.jar
| Fix applied 12/18/2021 |
ALM Patch: |
MicroFocus Connect | 4.4.1 and earlier | Hotfix available for: - 4.4.1 - HF8
- 4.3.1 - HF1
- 4.2.0 - HF1
| HF8 Fix applied 01/10/2022
|
|
TaskTop Hub | 19.4.0 and later | Fixed Tasktop versions:
- Tasktop Hub 20.4.40
- Tasktop Hub 21.1.47
- Tasktop Hub 21.2.36
- Tasktop Hub 21.3.24
- Tasktop Hub 21.4.13
- Tasktop Hub 22.1.0.20211215-b2449
Note: This fix will be applied to all Tasktop versions later than the versions listed above.
| Fixed applied
01/10/2022 |
|
Tricentis qTest | 10.5.3 and earlier |
Elasticsearch fix:
JVM option 3.7k -Dlog4j2.formatMsgNoLookups=true
qTest Patch should be available on 12/20
| Elasticsearch Fix applied 12/18/2021 | Elasticsearch Fix: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
qTest 10.5.3 and earlier include a version of the Elasticsearch REST client (7.6.2) libraries that contain the log4j vulnerability.
|
Note: MicroFocus ALM Global Search and Tricentis Tosca License Server are not hosted on Tx3 Helios
Related Articles
How to Prevent or Fix Dry Runs created in Ready for Execution Test Set
Problem: Rarely, dry runs (i.e. runs with the Draft Run field set to Y) can be created in formal test sets. This is due to an ALM feature that automatically marks runs created from a "Checked Out" test case as Draft Run = Y. Prevention/Mitigation: ...
Tx3 Support Reference Guide
For important information regarding Tx3 support please see attachments Tab and download the Support General Reference Guide. Support Update: The support@tx3services.com email address is no longer a valid way to open or respond to a support case. ...
VERA for ALM 2.10 Released!
We are very pleased to announce the latest version of VERA for ALM. The following improvements were made: We added some new configuration options that can be added to your template: Ability to Prevent Step Execution if evidence is required Support ...
Gaps in ALM Run ID sequence
Problem Runs appear to be deleted in a VERA configured ALM project. Here are known ways that runs appear to be deleted: A user opens a test in ALM. When a run is started, the Run is created in the database. If at any time, including if the user ...
Useful Information needed when opening Support Case
Detailed steps to reproduce Issue the issue. VERA Version Information (Click the “GO” button, Click “Version Information” and Copy to Clipboard option.) ALM Version and Patch Level Does the issue happen in a single project? Does the issue happen on a ...