Summary & Key Actions Required

We are continuing to monitor advice from the maintainers around CVE-2021-45105 which currently has a CVSS score of 7.5 – denial of service due to Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.


Avantra has released updated versions of our Server and Agent components where we have implemented the latest Log4j version (2.17.0) on Monday, December 20 (versions for 21.11.x line and 20.11.x line) and we have released an updated version for 20.5.x line on Tuesday, December 21 2021. The complete list of the versions is below:


  • Avantra Server (master and UI)
  • Avantra Agents
    • 21.11.3 and above (requires server version 21.11.2+ and SAP transports 20.11.7+) - download link
    • 20.11.12 and above (requires server version 20.11.11+ and SAP transports 20.11.7+) - download link
    • 20.11.703 (requires server version 20.11.7+ and SAP transports 20.11.2 - 20.11.7) - download link
    • 20.5.9 (requires server version 20.5.6+) - download link


Related security articles:


CVE-2021-45105 Summary

Please see this article from the Log4j maintainers for more information:

https://logging.apache.org/log4j/2.x/security.html


Impact to Avantra

We advise customers to upgrade to the latest available version of Avantra out of an abundance of caution to ensure the protection against CVE exploits from previous versions of the Log4j component.



Change Log

6th Jan @ 14:00 CETFormatting updates - no content changes
21th Dec @ 17:50 CETUpdated to include information about the deployment of the latest version of Log4j within Avantra versions 20.5.9
20th Dec @ 16:20 CETUpdated to include information about the deployment of the latest version of Log4j within Avantra versions 21.11.3, 20.11.11 and 20.11.703
20th Dec @ 12:00 CETInitial Notice Published



We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.