Summary & Key Actions Required

  • Avantra Server (master)
    • Upgrade your server (master) to either:
      • 21.11.2+
      • 20.11.11+
      • [manual mitigation] If you are on any other version of Avantra server and you cannot upgrade you will need to follow some manual steps as per the version-specific guidance documents below.
  • UI Server (xangui)
    • Upgrade your UI server (xangui) to either:
      • 21.11.2+
      • 20.11.11+
      • [manual mitigation] If you are on any other version of UI server (xangui) and you cannot upgrade you will need to follow some manual steps as per the version-specific guidance documents below.
  • Agent
    • Upgrade your agent to either:
      • 21.11.2 - requires master server version 21.11.0 or above
      • 20.11.11 - requires master server version 20.11.9+ and SAP transports 20.11.9+
      • 20.11.702 - requires master server version 20.11.7+ and SAP transports 20.11.2 - 20.11.7)
      • 20.5.8 - requires master server 20.5.6+
      • For agents that cannot be upgraded - advice is given in the version-specific documents below for how to manually update the configuration to mitigate the issue.

Version specific guidance documents:

Related security articles:

CVE-2021-44228 Summary

A security vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1. The vulnerability allows for unauthenticated remote code execution.

Java 8u121 helps protect against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false" and this is the current recommendation to mitigate the risk prior to application update publication. However, in our testing, this does not fully mitigate the issue.

See for more details on this Vulnerability.

Impact to Avantra

The following is a list of Server and Agent components that are affected by this CVE

  • Avantra 21.11.0 uses Log4j 2.14.1
  • Avantra 20.11.0 - 20.11.9 uses Log4j 2.14.0
  • Avantra 20.5.0 - 20.5.6 use Log4j 2.5
  • Avantra 20.2.x, 7.3.x, 7.2.x use Log4j 2.5
  • Avantra 7.1.x uses Log4j 2.3

We are aware that this exploit is an immediate issue for customers that have configured Active Directory integration and these customers are advised to apply the fixes as soon as possible.

Change Log

6th Jan @ 14:00 CETFormatting updates only - no content changes.
17th Dec @ 19:00 CETRelated CVE-2021-45046 score updated to 9.0 recommend customers upgrade to the latest patched versions available.
15th Dec @ 21:00 CETUpdated to reflect the release of Avantra server version 21.11.2 and 20.11.11

Updated to include the Log4j version present in new versions 21.11.2 and 20.11.11
15th Dec @ 08:23 CETRelated articles section added to the top to link to related CVEs and other useful documents.

Title updated to make the specific context clearer
14th Dec @ 15:00 CETUpdate to the guidance for versions 20.5 and 20.2 - Avantra agent 20.5.7 is now available for use with masters 20.5.6 and above for situations where upgrades are not possible e.g. older operating systems.
13th Dec @ 18:30 CETUpdate with specific articles for specific versions to bring clarity on how to approach changes for customers:
13th Dec @ 14:00 CETWe are releasing Agent 20.11.701 for customers who do not want to upgrade their SAP Transport requests and this agent will be compatible with previous versions of Avantra transports.

Update to the "Impact to Avantra" section.
12th Dec @ 11:15 CET

Updated mitigation approaches available.

11th Dec @ 20:00 CETUpdated parameter for Java configuration to match Log4J recommendations -
11th Dec @ 17:30 CETUpdated based on updated information from the disclosure. We now recommend that the JVM settings on the Avantra master server are set to specific mitigate this risk rather than assuming that later versions of Java have this covered.
10th Dec @ 17:45 CETInitial Notice Published

We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.