Please see our main article on CVE-2021-44228 for a full overview.

Actions required for 20.11.X

Customers running any version of 20.11 Avantra are immediately advised to mitigate this risk by following ALL of the following steps:

1. 
   
   • Upgrade your Avantra services (master server and UI (xangui) to either:
     • 21.11.2 or higher
       
       
     • 20.11.11 or higher
       
       
     • Only if you cannot upgrade you can follow these manual steps:
       Avantra Server (manual steps if you cannot upgrade):
       Disable the functionality within Log4J2 where this CVE resides. To do this do the following:
       • Linux
         • Master Server:
           Ensure that the Avantra master server JVM configuration file (at master/cfg/jvm.options) contains a deliberate disabling of this feature within the log4j2 library and restart the service
           • -Dlog4j2.formatMsgNoLookups=true
             
         • UI Server (xangui):
           Ensure that the Avantra UI server (xangui) JVM configuration file (at xangui/cfg/jvm.options) contains a deliberate disabling of this feature within the log4j2 library and restart the service:
           • -Dlog4j2.formatMsgNoLookups=true
       • Windows
         • Master Server:
           Go to [avantra-directory]\master\bin and execute the command "prunmgr //ES//lyceusm" at a command prompt. In the resulting window, add a new "Java Option" under the section "Java" to match:
           • -Dlog4j2.formatMsgNoLookups=true
           • 
         • UI Server (xangui):
           Go to [avantra-directory]\xangui\bin and execute the command "prunmgr //ES//xangui" at a command prompt. In the resulting window, add a new "Java Option" under the section "Java" to match:
           • -Dlog4j2.formatMsgNoLookups=true
2. Avantra Agents:
   For Avantra Agents, there are three options:
   1. Manually update the Java runtime configuration similar to the master server above (jvm.config file on Linux and prunmgr //ES//sxagent for Windows).
      
      
   2. Upgrade your agents to one of the two following versions:
      • 20.11.702 or higher
        
        Requires Avantra transports 20.11.2 - 20.11.7
        Requires Avantra server version >= 20.11.7
        
        
      • 20.11.11 or higher
        
        Requires Avantra transports 20.11.7
        Requires Avantra server version >= 20.11.9.
        
        
        Please note we recommend performing the update via the Avantra agent update process using the .bin file provided in the download area.
        
        
3. As per the Avantra Hardening guide - we recommend:
   • Lowering the log level of the Avantra master and UI to only what is required
   • Disabling unnecessary text input fields for unauthenticated users i.e. password reset function
     
     
4. Ensure that your Java version is updated to at least above Java 8u121 from whatever source you currently use e.g. Adoptium Temurin / Oracle Java.

Change Log