According to Log4j – Apache Log4j Security Vulnerabilities, all versions of Log4j from 2.0 through 2.16.0 are vulnerable:
“All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4”
According to Red Hat Bugzilla – Bug 2031667, a similar vulnerability could occur in Log4j 1.x if the application is configured to use JMSAppder:
“A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.”
JMSAppender is not enabled and in use by Tansa, so Tansa is thus safe from this type of attack.
What do we do?
Both Tansa Client and Tansa Admin are now updated to use Log4j 2.17.1.
When will new installers be available and how?
Updated versions of Tansa Client and Tansa Admin are now launched.
Customers who have an operating agreement will have their servers updated continuously by us. At the same time, other customers will receive new versions through Tansa Update or by contacting us directly at email@example.com. We can help you install the update.