Summary & Key Actions Required
We are continuing to monitor advice from the maintainers around CVE-2021-45046 which currently has a CVSS score of 9.0. This has recently been upgraded from the original score of 3.7.
Avantra has released updated versions of our Server and Agent components where we have implemented the latest Log4j version (2.16.0). The versions of Avantra are:
- Avantra Server (master and UI)
- 21.11.2 and above
- 20.11.11 and above
- Avantra Agents
- 21.11.2 and above - requires server version 21.11.2+ and SAP transports 20.11.7+
- 20.11.11 and above - requires server version 20.11.11+ and SAP transports 20.11.7+
- 20.11.702 - requires server version 20.11.7+ and SAP transports 20.11.2 - 20.11.7
- 20.5.8 - requires server version 20.5.6+
We will update this article if any more information becomes available and will highlight if our recommendations or plans change.
Related security articles:
- CVE-2021-45105 - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
- CVE-2021-44228 - Log4j - JNDI message lookup
- CVE-2021-44228 - Custom Check - verify Avantra has been hardened
- CVE-2021-44228 - Sample code - agent configuration changes - linux
- Avantra Hardening Guide
CVE-2021-45046 Summary
Please see this article from the Log4j maintainers for more information:
https://logging.apache.org/log4j/2.x/security.html
Impact to Avantra
We advise customers to upgrade to the latest available version of Avantra anyway to ensure the protection against CVE exploits from previous versions of the Log4j component.
Change Log
| 6th Jan @ 14:00 CET | Formatting updates - no content changes |
| 17th Dec @ 17:00 CET | Update CVSS score to 9.0 and recommend customers upgrade to the latest patched versions available. |
| 16th Dec @ 17:00 CET | Release of versions 20.11.702 and 20.5.8 to support older SAP transports and transport versions to reduce upgrade effort. |
| 15th Dec @ 21:00 CET | Updated to include information about the deployment of the latest version of Log4j within Avantra versions 21.11.2 and 20.11.11. |
| 15th Dec @ 12:30 CET | Updated to include the results of our initial analysis which is that we are not aware of additional risks to Avantra landscapes this time. Information about the planned software releases to include the latest Log4j version 2.16.0. |
| 15th Dec @ 08:15 CET | Initial Notice Published |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.