Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228

Note — We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Important: Security Vulnerability CVE-2021-44228

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.


Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.


One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) attack.

Tx3 Product Impact

We have verified that the vulnerability does not exist in our products:
  1. VERA for ALM
  2. VERA DevOps
  3. VERA Electronic Signatures for Jira (Cloud, Data Center & Cloud)

Tx3 Helios (SaaS) Impact

We performed an impact analysis on our hosted products: 

Impacted Version(s)

MicroFocus Application Lifecycle Management (ALM)
15.5.0 and later
Manually replace:
  1. log4j-1.2-api.jar
  2. log4j-api.jar
  3. log4j-core.jar
  4. log4j-slf4j-impl.jar
Fix applied 12/18/2021

ALM Patch:
MicroFocus Connect
 4.4.1 and earlier
Hotfix available for:
  1. 4.4.1 - HF8
  2. 4.3.1 - HF1
  3. 4.2.0 - HF1
HF8 Fix applied 01/10/2022

TaskTop Hub
19.4.0 and later
Fixed Tasktop versions:
  1. Tasktop Hub 20.4.40
  2. Tasktop Hub 21.1.47
  3. Tasktop Hub 21.2.36
  4. Tasktop Hub 21.3.24
  5. Tasktop Hub 21.4.13
  6. Tasktop Hub
Note: This fix will be applied to all Tasktop versions later than the versions listed above.
Fixed applied

Tricentis qTest
10.5.3 and earlier

Elasticsearch fix:
 JVM option 3.7k -Dlog4j2.formatMsgNoLookups=true

qTest Patch should be available on 12/20

Elasticsearch Fix applied 12/18/2021

Elasticsearch Fix: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

qTest 10.5.3 and earlier include a version of the Elasticsearch REST client (7.6.2) libraries that contain the log4j vulnerability.
Note: MicroFocus ALM Global Search and Tricentis Tosca License Server are not hosted on Tx3 Helios

    • Related Articles

    • How to Prevent or Fix Dry Runs created in Ready for Execution Test Set

      Problem: Rarely, dry runs (i.e. runs with the Draft Run field set to Y) can be created in formal test sets. This is due to an ALM feature that automatically marks runs created from a "Checked Out" test case as Draft Run = Y.  Prevention/Mitigation: ...
    • Tx3 Support Reference Guide

      For important information regarding Tx3 support please see attachments Tab and download the Support General Reference Guide. Support Update: The support@tx3services.com email address is no longer a valid way to open or respond to a support case. ...
    • VERA for ALM 2.10 Released!

      We are very pleased to announce the latest version of VERA for ALM.  The following improvements were made: We added some new configuration options that can be added to your template: Ability to Prevent Step Execution if evidence is required Support ...
    • Gaps in ALM Run ID sequence

      Problem Runs appear to be deleted in a VERA configured ALM project.  Here are known ways that runs appear to be deleted: A user opens a test in ALM.  When a run is started, the Run is created in the database.  If at any time, including if the user ...
    • Useful Information needed when opening Support Case

      Detailed steps to reproduce Issue the issue. VERA Version Information (Click the “GO” button, Click “Version Information” and Copy to Clipboard option.) ALM Version and Patch Level Does the issue happen in a single project? Does the issue happen on a ...