Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Apache Log4j vulnerability

Go to solution
neilusobrien
New Contributor

‎2021.12.12 03:39 PM

It looks like Kx platform's apache tomcat server may use log4j, there is a log4j.properties.

I don't know if this is something we can patch by just downloading the latest apt package.
Can you advise on what steps we need to take to patch this (before they release a patch of their own)

 

 

https://www.kaspersky.com.au/blog/log4shell-critical-vulnerability-in-apache-log4j/30102/

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
davidcrossey
Moderator Moderator
Moderator

‎2021.12.13 03:47 PM - edited ‎2021.12.14 02:24 AM

Hi neilusobrien,

Please find the below update from the support page regarding this vulnerability;

Advisory: Critical vulnerability CVE-2021-44228 affecting the Apache Log4J library

KX is aware of a widely reported critical vulnerability (CVE-2021-44228) affecting the Apache Log4j library, where attackers can leverage log message or log message parameters to perform remote code execution on vulnerable systems. It is recommended that customers who utilise Apache Log4j upgrade to version 2.15.0, which addresses this vulnerability.

Actions taken

As a critical vulnerability, we have reviewed the security of our platform. No vulnerable versions of the Log4j library have been uncovered within the KX software that has been shipped to customers. As always, the security of customers is of paramount importance. If and when further information becomes available, we will update this page accordingly. If you have concerns or questions please visit support.kx.com

Please see support page for further updates.

Kind regards,

David

View solution in original post

2 REPLIES 2

Go to solution
davidcrossey
Moderator Moderator
Moderator

‎2021.12.12 03:55 PM

Hi neilusobrien,

Thanks for raising your concern here.

I will forward this on to our engineers and provide an update as soon as possible.

Kind regards,

David

0 Kudos

Go to solution
davidcrossey
Moderator Moderator
Moderator

‎2021.12.13 03:47 PM - edited ‎2021.12.14 02:24 AM

Hi neilusobrien,

Please find the below update from the support page regarding this vulnerability;

Advisory: Critical vulnerability CVE-2021-44228 affecting the Apache Log4J library

KX is aware of a widely reported critical vulnerability (CVE-2021-44228) affecting the Apache Log4j library, where attackers can leverage log message or log message parameters to perform remote code execution on vulnerable systems. It is recommended that customers who utilise Apache Log4j upgrade to version 2.15.0, which addresses this vulnerability.

Actions taken

As a critical vulnerability, we have reviewed the security of our platform. No vulnerable versions of the Log4j library have been uncovered within the KX software that has been shipped to customers. As always, the security of customers is of paramount importance. If and when further information becomes available, we will update this page accordingly. If you have concerns or questions please visit support.kx.com

Please see support page for further updates.

Kind regards,

David

Main Office Contacts

EMEA
Tel: +44 (0)28 3025 2242

AMERICAS
Tel: +1 (212) 447 6700

APAC
Tel: +61 (0)2 9236 5700

Useful Information
Resources
Popular Links
Follow Us

KX. All Rights Reserved.

KX and kdb+ are registered trademarks of KX Systems, Inc., a subsidiary of FD Technologies plc.

Privacy Policy

Export Statement

Terms of Use

Processing Notice