cancel
Showing results for 
Search instead for 
Did you mean: 

Apache Log4j vulnerability

neilusobrien
New Contributor

It looks like Kx platform's apache tomcat server may use log4j, there is a log4j.properties.

I don't know if this is something we can patch by just downloading the latest apt package.
Can you advise on what steps we need to take to patch this (before they release a patch of their own)

 

 

https://www.kaspersky.com.au/blog/log4shell-critical-vulnerability-in-apache-log4j/30102/

1 ACCEPTED SOLUTION

davidcrossey
Moderator Moderator
Moderator

Hi neilusobrien,

Please find the below update from the support page regarding this vulnerability;

Advisory: Critical vulnerability CVE-2021-44228 affecting the Apache Log4J library

KX is aware of a widely reported critical vulnerability (CVE-2021-44228) affecting the Apache Log4j library, where attackers can leverage log message or log message parameters to perform remote code execution on vulnerable systems. It is recommended that customers who utilise Apache Log4j upgrade to version 2.15.0, which addresses this vulnerability.

Actions taken

As a critical vulnerability, we have reviewed the security of our platform. No vulnerable versions of the Log4j library have been uncovered within the KX software that has been shipped to customers. As always, the security of customers is of paramount importance. If and when further information becomes available, we will update this page accordingly. If you have concerns or questions please visit support.kx.com

Please see support page for further updates.

Kind regards,

David

David

View solution in original post

2 REPLIES 2

davidcrossey
Moderator Moderator
Moderator

Hi neilusobrien,

Thanks for raising your concern here.

I will forward this on to our engineers and provide an update as soon as possible.

Kind regards,

David

David

davidcrossey
Moderator Moderator
Moderator

Hi neilusobrien,

Please find the below update from the support page regarding this vulnerability;

Advisory: Critical vulnerability CVE-2021-44228 affecting the Apache Log4J library

KX is aware of a widely reported critical vulnerability (CVE-2021-44228) affecting the Apache Log4j library, where attackers can leverage log message or log message parameters to perform remote code execution on vulnerable systems. It is recommended that customers who utilise Apache Log4j upgrade to version 2.15.0, which addresses this vulnerability.

Actions taken

As a critical vulnerability, we have reviewed the security of our platform. No vulnerable versions of the Log4j library have been uncovered within the KX software that has been shipped to customers. As always, the security of customers is of paramount importance. If and when further information becomes available, we will update this page accordingly. If you have concerns or questions please visit support.kx.com

Please see support page for further updates.

Kind regards,

David

David