Forum Discussion

ramaG's avatar
ramaG
Contributor
3 years ago

Does ReadyAPI 3.20 version contain log4j 2.17 ?

Hello -

Log4J 2.16 has fix for  - CVE-2021-45046.

 

Now CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.

 

Does  ReadyAPI 3.20 Release comes with 2.17 log4j ? 

 

Appreciate your reply.

Thanks !

  • D0UG's avatar
    D0UG
    3 years ago

    Hi,

     

    New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended  Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits.

     

    SmartBear maintains that the Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities, have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version please view the table below for current status and  reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

     

    As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next release.

     

    You can check individual product statuses here https://smartbear.com/security/cve-2021-44228/

     

  • TNeuschwanger's avatar
    TNeuschwanger
    Champion Level 1

    Hello ramaG 

     

    Do you have information about an upcoming product version (3.20)?  I only see ReadyAPI 3.10.2 available for download.  I cannot speculate on what future releases of ReadyAPI are, but I am satisfied with log4j 2.15.0 being included Ready 3.10.2.  The Appache web site says 2.15.0 addresses the most urgent security threat.  Subsequent versions of log4j from 2.15.0 to 2.17.0 address non-default installation threats.  I think I read from Smartbear that they only distribute default installation.  With that said, I feel safe at log4j 2.15.0.  I read on Symantec site that their virus protection software guards against the exploit.  I bet other reputable software virus/malware protection companies do the same.  Unless you have no protection enabled on your computer/server, that would be the risk you take.

     

    If you need to identify which version of log4j Smartbear has included with your version of ReadyAPI, you can look at your installation folder where you installed ReadyAPI.  In my instance, I found log4j-xxx-2.15.0.jar in "C:\Program Files\SmartBear\ReadyAPI-3.10.2\lib\".

     

    Regards,

    Todd

    • D0UG's avatar
      D0UG
      Community Manager

      Hi,

       

      New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended  Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits.

       

      SmartBear maintains that the Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities, have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version please view the table below for current status and  reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

       

      As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next release.

       

      You can check individual product statuses here https://smartbear.com/security/cve-2021-44228/