Does ReadyAPI 3.20 version contain log4j 2.17 ?
Hello -
Log4J 2.16 has fix for - CVE-2021-45046.
Now CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.
Does ReadyAPI 3.20 Release comes with 2.17 log4j ?
Appreciate your reply.
Thanks !
Hi,
New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits.
SmartBear maintains that the Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities, have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version please view the table below for current status and reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.
As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next release.
You can check individual product statuses here https://smartbear.com/security/cve-2021-44228/