Summary & Key Actions Required
We are continuing to monitor advice from the maintainers around CVE-2021-45105 which currently has a CVSS score of 7.5 – denial of service due to Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Avantra has released updated versions of our Server and Agent components where we have implemented the latest Log4j version (2.17.0) on Monday, December 20 (versions for 21.11.x line and 20.11.x line) and we have released an updated version for 20.5.x line on Tuesday, December 21 2021. The complete list of the versions is below:
- Avantra Server (master and UI)
- 21.11.3 and above - download link
- 20.11.12 and above - download link
- Avantra Agents
- 21.11.3 and above (requires server version 21.11.2+ and SAP transports 20.11.7+) - download link
- 20.11.12 and above (requires server version 20.11.11+ and SAP transports 20.11.7+) - download link
- 20.11.703 (requires server version 20.11.7+ and SAP transports 20.11.2 - 20.11.7) - download link
- 20.5.9 (requires server version 20.5.6+) - download link
Related security articles:
- CVE-2021-45046 - Log4j2 Thread Context Message/Lookup
- CVE-2021-44228 - Log4j - JNDI message lookup
- CVE-2021-44228 - Custom Check - verify Avantra has been hardened
- CVE-2021-44228 - Sample code - agent configuration changes - linux
- Avantra Hardening Guide
CVE-2021-45105 Summary
Please see this article from the Log4j maintainers for more information:
https://logging.apache.org/log4j/2.x/security.html
Impact to Avantra
We advise customers to upgrade to the latest available version of Avantra out of an abundance of caution to ensure the protection against CVE exploits from previous versions of the Log4j component.
Change Log
| 6th Jan @ 14:00 CET | Formatting updates - no content changes |
| 21th Dec @ 17:50 CET | Updated to include information about the deployment of the latest version of Log4j within Avantra versions 20.5.9 |
| 20th Dec @ 16:20 CET | Updated to include information about the deployment of the latest version of Log4j within Avantra versions 21.11.3, 20.11.11 and 20.11.703 |
| 20th Dec @ 12:00 CET | Initial Notice Published |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.