Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228

Note — We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Important: Security Vulnerability CVE-2021-44228

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.

Summary

Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.

Details

One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) attack.

Tx3 Product Impact

We have verified that the vulnerability does not exist in our products:
  1. VERA for ALM
  2. VERA DevOps
  3. VERA Electronic Signatures for Jira (Cloud, Data Center & Cloud)

Tx3 Helios (SaaS) Impact

We performed an impact analysis on our hosted products: 

Product
Impacted Version(s)
FixRemediation
Details

MicroFocus Application Lifecycle Management (ALM)
15.5.0 and later
Manually replace:
  1. log4j-1.2-api.jar
  2. log4j-api.jar
  3. log4j-core.jar
  4. log4j-slf4j-impl.jar
Fix applied 12/18/2021

ALM Patch:
MicroFocus Connect
 4.4.1 and earlier
Hotfix available for:
  1. 4.4.1 - HF8
  2. 4.3.1 - HF1
  3. 4.2.0 - HF1
HF8 Fix applied 01/10/2022

TaskTop Hub
19.4.0 and later
Fixed Tasktop versions:
  1. Tasktop Hub 20.4.40
  2. Tasktop Hub 21.1.47
  3. Tasktop Hub 21.2.36
  4. Tasktop Hub 21.3.24
  5. Tasktop Hub 21.4.13
  6. Tasktop Hub 22.1.0.20211215-b2449
Note: This fix will be applied to all Tasktop versions later than the versions listed above.
Fixed applied
01/10/2022

Tricentis qTest
10.5.3 and earlier

Elasticsearch fix:
 JVM option 3.7k -Dlog4j2.formatMsgNoLookups=true

qTest Patch should be available on 12/20

Elasticsearch Fix applied 12/18/2021

Elasticsearch Fix: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476


qTest 10.5.3 and earlier include a version of the Elasticsearch REST client (7.6.2) libraries that contain the log4j vulnerability.
Note: MicroFocus ALM Global Search and Tricentis Tosca License Server are not hosted on Tx3 Helios

    • Related Articles

    • How to Prevent or Fix Dry Runs created in Ready for Execution Test Set

      Problem: Rarely, dry runs (i.e. runs with the Draft Run field set to Y) can be created in formal test sets. This is due to an ALM feature that automatically marks runs created from a "Checked Out" test case as Draft Run = Y.  Prevention/Mitigation: ...
    • Certain Actions Causes Stop Code: Unexpected Kernel Mode Trap Error

      Cause: Windows 10 version 1703 is the reason for these crashes. The issue (Error 0x7F) with Windows Forms (WinForms) is causing the system to crash after upgrading to the Creators Update, resulting with crashes when interacting with some areas in ...
    • Tx3 Support Reference Guide

      For important information regarding Tx3 support please see attachments Tab and download the Support General Reference Guide. Support Update: The support@tx3services.com email address is no longer a valid way to open or respond to a support case. ...
    • VERA for ALM 2.10 Released!

      We are very pleased to announce the latest version of VERA for ALM.  The following improvements were made: We added some new configuration options that can be added to your template: Ability to Prevent Step Execution if evidence is required Support ...
    • Supported Method for accessing ALM without IE (retired)

      The Tx3 recommended/supported way to use ALM with VERA projects without IE is to use the latest version of the ALM Client Launcher (Available on the MicroFocus marketplace). We have only tested ALM without IE using the ALM Client Launcher. Link to ...