Q2 is aware of the recent, publicly disclosed security issue relating to the Log4j security risk and we are closely following the new resolution recommendations.
| CVE-2021-45105 | Denial of Service |
| Severity | High |
| Version Affected | All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 |
| Description | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. |
| Mitigation | Log4j 1.x mitigationLog4j 1.x is not impacted by this vulnerability. Log4j 2.x mitigationUpgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later). Alternatively, this infinite recursion issue can be mitigated in configuration:
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this. |
We are currently analyzing and mapping entire Actimize applications installed on Customer premise:
Product | Product Version | Uses Log4j 2.x? | Note |
| Actimize - ActOne | 6.2 - 6.5 | Yes | Potentially uses of log4j version 2.13.2 in four places
Detailed information, please refer to attached document in this article |
| Actimize - ActOne | 6.0-6.1 | No | Not Applicable, no action required |
| Actimize - RCM | 5.13,14 | Yes | All released versions of the RCM 5.x application WAR itself does not use a vulnerable version of log4j. However, if you have already installed Service Packs, it is likely that several add-on components and utilities do use a vulnerable log4j version. RCM uses log4j 2.x at 2 places:
Detailed information, please refer to attached document in this article |
| Actimize - RCM | 5.12 and below | No | Not Applicable, no action required |
| Actimize - AIS | All Versions | No | Not Applicable, no action required |
| Actimize - UDM | All Versions | No | Not Applicable, no action required |
| Actimize - IFM | 4.15, 4.11 and below and 10.0 | No | Not Applicable, no action required |
| Actimize - IFM | 10.1,10.2 | Yes | Uses log4j 2.13 at 3 places:
Detailed information, please refer to attached document in this article |
| Actimize - IFM Remote Banking | 3.1 | No | Not Applicable, no action required |
| Actimize - SAM | All Versions | Yes | Uses log4j 2.x at 4 places:
Detailed information, please refer to attached document in this article |
| Actimize - CDD | All Versions | Yes | Uses log4j 2.x at 3 places:
|
| Actimize - WLF | All Versions | No | Not Applicable, no action required |
In case you're using above Actimize solution's version, please check at mentioned places and verify if you have log4j 2.x installed in your environment. Once you confirmed, please contact Q2 Support for further assistance.
NOTE:
This page will be updated regularly in case any update to this vulnerability.
Reference: