Forum Discussion

ramaG's avatar
ramaG
Contributor
3 years ago

Does ReadyAPI 3.20 version contain log4j 2.17 ?

Hello - Log4J 2.16 has fix for  - CVE-2021-45046.   Now CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2....
  • D0UG's avatar
    D0UG
    3 years ago

    Hi,

     

    New guidance was received to upgrade to Log4J version 2.17.0 on impacted systems, after additional potential exploits were found in the previously-recommended  Log4J upgrade to 2.16.0. SmartBear does not use any of the config patterns that are vulnerable to these exploits.

     

    SmartBear maintains that the Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities stemming from CVE-2021-44228 and associated vulnerabilities, have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version please view the table below for current status and  reach out to our support team at https://support.smartbear.com for further information and mitigation guidance.

     

    As an overabundance of caution, SmartBear will continue to upgrade products to Log4J 2.17.0 as part of their next release.

     

    You can check individual product statuses here https://smartbear.com/security/cve-2021-44228/