Summary & Key Actions Required

We are continuing to monitor advice from the maintainers around CVE-2021-45046 which currently has a CVSS score of 9.0. This has recently been upgraded from the original score of 3.7.

Avantra has released updated versions of our Server and Agent components where we have implemented the latest Log4j version (2.16.0). The versions of Avantra are:

  • Avantra Server (master and UI)
    • 21.11.2 and above
    • 20.11.11 and above
  • Avantra Agents
    • 21.11.2 and above - requires server version 21.11.2+ and SAP transports 20.11.7+
    • 20.11.11 and above - requires server version 20.11.11+ and SAP transports 20.11.7+
    • 20.11.702 - requires server version 20.11.7+ and SAP transports 20.11.2 - 20.11.7
    • 20.5.8 - requires server version 20.5.6+

We will update this article if any more information becomes available and will highlight if our recommendations or plans change.

Related security articles:

CVE-2021-45046 Summary

Please see this article from the Log4j maintainers for more information:

Impact to Avantra

We advise customers to upgrade to the latest available version of Avantra anyway to ensure the protection against CVE exploits from previous versions of the Log4j component.

Change Log

6th Jan @ 14:00 CETFormatting updates - no content changes
17th Dec @ 17:00 CETUpdate CVSS score to 9.0 and recommend customers upgrade to the latest patched versions available.
16th Dec @ 17:00 CETRelease of versions 20.11.702 and 20.5.8 to support older SAP transports and transport versions to reduce upgrade effort.
15th Dec @ 21:00 CETUpdated to include information about the deployment of the latest version of Log4j within Avantra versions 21.11.2 and 20.11.11.
15th Dec @ 12:30 CETUpdated to include the results of our initial analysis which is that we are not aware of additional risks to Avantra landscapes this time.

Information about the planned software releases to include the latest Log4j version 2.16.0.
15th Dec @ 08:15 CETInitial Notice Published

We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.