-
Apache Log4j vulnerability
It looks like Kx platform’s apache tomcat server may use log4j, there is a
log4j.properties.I don’t know if this is something we can patch by just downloading the latest apt package.
Can you advise on what steps we need to take to patch this (before they release a patch of their own)https://www.kaspersky.com.au/blog/log4shell-critical-vulnerability-in-apache-log4j/30102/
-
2 Replies
-
Hi neilusobrien,
Thanks for raising your concern here.
I will forward this on to our engineers and provide an update as soon as possible.
Kind regards,
David
-
Hi neilusobrien,
Please find the below update from the support page regarding this vulnerability;
Advisory: Critical vulnerability CVE-2021-44228 affecting the Apache Log4J library
KX is aware of a widely reported critical vulnerability (CVE-2021-44228) affecting the Apache Log4j library, where attackers can leverage log message or log message parameters to perform remote code execution on vulnerable systems. It is recommended that customers who utilise Apache Log4j upgrade to version 2.15.0, which addresses this vulnerability.
Actions taken
As a critical vulnerability, we have reviewed the security of our platform. No vulnerable versions of the Log4j library have been uncovered within the KX software that has been shipped to customers. As always, the security of customers is of paramount importance. If and when further information becomes available, we will update this page accordingly. If you have concerns or questions please visit support.kx.com
Please see support page for further updates.
Kind regards,
David
Log in to reply.