Summary & Key Actions Required
- Avantra Server (master)
- Upgrade your server (master) to either:
- 21.11.2+
- 20.11.11+
- [manual mitigation] If you are on any other version of Avantra server and you cannot upgrade you will need to follow some manual steps as per the version-specific guidance documents below.
- Upgrade your server (master) to either:
- UI Server (xangui)
- Upgrade your UI server (xangui) to either:
- 21.11.2+
- 20.11.11+
- [manual mitigation] If you are on any other version of UI server (xangui) and you cannot upgrade you will need to follow some manual steps as per the version-specific guidance documents below.
- Upgrade your UI server (xangui) to either:
- Agent
- Upgrade your agent to either:
- 21.11.2 - requires master server version 21.11.0 or above
- 20.11.11 - requires master server version 20.11.9+ and SAP transports 20.11.9+
- 20.11.702 - requires master server version 20.11.7+ and SAP transports 20.11.2 - 20.11.7)
- 20.5.8 - requires master server 20.5.6+
- For agents that cannot be upgraded - advice is given in the version-specific documents below for how to manually update the configuration to mitigate the issue.
- Upgrade your agent to either:
Version specific guidance documents:
- Avantra 21.11.0 and above (servers or agents)
- Avantra 20.11.x and above (servers or agents)
- Avantra 20.5 / 20.2 and below
Related security articles:
- CVE-2021-45046 - Log4j2 Thread Context Message/Lookup
- CVE-2021-45105 - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
- CVE-2021-44228 - Custom Check - verify Avantra has been hardened
- CVE-2021-44228 - Sample code - agent configuration changes - linux
- Avantra Hardening Guide
CVE-2021-44228 Summary
A security vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1. The vulnerability allows for unauthenticated remote code execution.
Java 8u121 helps protect against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false" and this is the current recommendation to mitigate the risk prior to application update publication. However, in our testing, this does not fully mitigate the issue.
See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more details on this Vulnerability.
Impact to Avantra
The following is a list of Server and Agent components that are affected by this CVE
- Avantra 21.11.0 uses Log4j 2.14.1
- Avantra 20.11.0 - 20.11.9 uses Log4j 2.14.0
- Avantra 20.5.0 - 20.5.6 use Log4j 2.5
- Avantra 20.2.x, 7.3.x, 7.2.x use Log4j 2.5
- Avantra 7.1.x uses Log4j 2.3
We are aware that this exploit is an immediate issue for customers that have configured Active Directory integration and these customers are advised to apply the fixes as soon as possible.
Change Log
| 6th Jan @ 14:00 CET | Formatting updates only - no content changes. |
| 17th Dec @ 19:00 CET | Related CVE-2021-45046 score updated to 9.0 recommend customers upgrade to the latest patched versions available. |
| 15th Dec @ 21:00 CET | Updated to reflect the release of Avantra server version 21.11.2 and 20.11.11 Updated to include the Log4j version present in new versions 21.11.2 and 20.11.11 |
| 15th Dec @ 08:23 CET | Related articles section added to the top to link to related CVEs and other useful documents. Title updated to make the specific context clearer |
| 14th Dec @ 15:00 CET | Update to the guidance for versions 20.5 and 20.2 - Avantra agent 20.5.7 is now available for use with masters 20.5.6 and above for situations where upgrades are not possible e.g. older operating systems. |
| 13th Dec @ 18:30 CET | Update with specific articles for specific versions to bring clarity on how to approach changes for customers: |
| 13th Dec @ 14:00 CET | We are releasing Agent 20.11.701 for customers who do not want to upgrade their SAP Transport requests and this agent will be compatible with previous versions of Avantra transports. Update to the "Impact to Avantra" section. |
| 12th Dec @ 11:15 CET | Updated mitigation approaches available. |
| 11th Dec @ 20:00 CET | Updated parameter for Java configuration to match Log4J recommendations - https://logging.apache.org/log4j/2.x/security.html |
| 11th Dec @ 17:30 CET | Updated based on updated information from the disclosure. We now recommend that the JVM settings on the Avantra master server are set to specific mitigate this risk rather than assuming that later versions of Java have this covered. |
| 10th Dec @ 17:45 CET | Initial Notice Published |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.