Summary & Key Actions Required
At present, there are no actions required by Avantra software users other than the mitigations required for previous Log4j vulnerabilities (see related security articles).
Within our standard Avantra installation, we do not use the JDBC Appender functionality within Log4j and so Avantra is not impacted by this vulnerability. We will continue to include the latest versions of Log4j in upcoming patches and releases and customers will be notified as newer versions become available through the normal channels.
Related security articles:
- CVE-2021-44228 - Log4j - JNDI message lookup
- CVE-2021-45046 - Log4j2 Thread Context Message/Lookup
- CVE-2021-45105 - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
- Avantra Hardening Guide
Please see these articles for more information:
Impact to Avantra
We have completed our investigations and analysis around this CVE and have determined that there are no actions required by Avantra software users other than the mitigations required for previous Log4j vulnerabilities (see related security articles). We will update this article if any more information becomes available.
For customers concerned about this CVE, in line with our dependencies update policy, Avantra versions 20.11.15 and 21.11.4 and above include the patched component.
|31st Mar 2023 @ 14:00 CET
|Updated with Avantra releases with patched components (20.11.15, 21.11.4)
|6th Jan @ 14:00 CET
|Initial Notice Published
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.