Forum Discussion

JoostDG's avatar
JoostDG
Frequent Contributor
4 years ago

log4j 2.15.0 vulnerability and Ready API 3.10.2

Hi. Another log4j post... since previous topics have been closed with a solution that refers to this communication: https://smartbear.com/security/cve-2021-44228/ 

Just wanted to point out that the current fix provided in readyAPI 3.10.2, which updated the log4j version to 2.15.0, still can be "susceptible to exploitation in non-default configurations that utilize the ThreadContext class with user-supplied input" (see below source).

 

I felt compelled to mention this as I indicated in the first post (https://community.smartbear.com/t5/ReadyAPI-Questions/Is-readyapi-3-10-1-affected-by-log4j-security-vulnerability/m-p/227374#M55162) on this subject that "upgrading to 2.15.0 would be recommended". It seems that that info got outdated later during the day...

 

 

 

source: https://www.randori.com/blog/cve-2021-44228/

  • Hi JoostDG,

     

    Thank you for posting.

     

    The Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities - CVE-2021-44228 and CVE-2021-45046 have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version, please reach out to our support team at https://support.smartbear.com for further information.

     

    Apache recently announced that the fix to address CVE-2021-44228 (upgrading Log4j to at least version 2.15.0) is not complete if non-default or custom configurations are used. SmartBear products remain unaffected with this new information. SmartBear does not use the non-default configurations and the residual risk is low in using the 2.15.0 version of Log4j.

     

    Many SmartBear products are already using Log4j 2.16.0. Out of an abundance of caution, SmartBear products not already using 2.16 will update to this version during the next available release.

  • D0UG's avatar
    D0UG
    Community Manager

    Hi JoostDG,

     

    Thank you for posting.

     

    The Apache Log4j2 Remote Code Execution (RCE) Vulnerabilities - CVE-2021-44228 and CVE-2021-45046 have been mitigated or remediated on SmartBear-managed cloud products. If you are on an on-premise version or a customized version, please reach out to our support team at https://support.smartbear.com for further information.

     

    Apache recently announced that the fix to address CVE-2021-44228 (upgrading Log4j to at least version 2.15.0) is not complete if non-default or custom configurations are used. SmartBear products remain unaffected with this new information. SmartBear does not use the non-default configurations and the residual risk is low in using the 2.15.0 version of Log4j.

     

    Many SmartBear products are already using Log4j 2.16.0. Out of an abundance of caution, SmartBear products not already using 2.16 will update to this version during the next available release.

    • sterickson's avatar
      sterickson
      New Member

      Our corporate security organization is requiring that log4j be at a minimum of 2.17.0, and are telling us we *must* update everything to this, or risk having affected servers shut down. We have numerous ReadyAPI installations, which have been updated to your release that uses 2.16.0. Unfortunately, that's not good enough for our security team.

       

      Will SmartBear be releasing a version that uses 2.17.0, or higher, and, if so, when?