Apache Log4j vulnerabilities

How is Tansa software affected?

Tansa Client 5.0.129.1686 is not affected

Tansa Client 5.0.129.1686 was published 01/04/2022, updated from Log4j 2.17.0 to Log4j 2.17.1 (latest version at that time).

Tansa Client 5.0.128.1684 is partly affected

Tansa Client 5.0.128.1684 was published 12/22/2021, updated from Log4j 2.16 to Log4j 2.17.0 (latest version at that time). Another security hole also affects Log4j 2.17.0, therefore Log4j 2.17.1 was published 12/27/2021.

Tansa Client 5.0.127.1680 is partly affected

Tansa Client 5.0.127.1680 was published 12/15/2021, updated from Log4j 1.2.17 to Log4j 2.16 (latest version at that time). Then another security hole was discovered that also affects Log4j 2.16, therefore Log4j 2.17 was published 12/18/2021.

Tansa Client before 5.0.127.1680 and other Tansa software is not affected

Tansa Client before version 5.0.127.1680 and Tansa Admin use Log4j 1.2.17. These are thus not affected by any of the recent reported security holes in Log4j.

There are two Tansa applications that use Log4j:

  • Tansa Administrator
    • 5.0.38.612 uses Log4j 2.17.1 (not affected)
    • Earlier versions use Log4j 1.2.17 (not affected)
  • Tansa Client
    • 5.0.129.1686 uses Log4j 2.17.1 (not affected)
    • 5.0.128.1684 uses Log4j 2.17.0 (partly affected)
    • 5.0.127.1680 uses Log4j 2.16 (partly affected)
    • Earlier versions use Log4j 1.2.17 (not affected)

To read more about Log4j vulnerabilities, go to:

The U.S. Cybersecurity & Infrastructure Security Agency (CISA)

The U.S. National Vulnerability Database (NVD)

UK’s National Cyber Security Centre (NCSC)

According to Log4j – Apache Log4j Security Vulnerabilities, all versions of Log4j from 2.0 through 2.16.0 are vulnerable:

“All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4”

According to Red Hat Bugzilla – Bug 2031667, a similar vulnerability could occur in Log4j 1.x if the application is configured to use JMSAppder:

“A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.

JMSAppender is not enabled and in use by Tansa, so Tansa is thus safe from this type of attack.

What do we do?

Both Tansa Client and Tansa Admin are now updated to use Log4j 2.17.1.

When will new installers be available and how?
Updated versions of Tansa Client and Tansa Admin are now launched.

Customers who have an operating agreement will have their servers updated continuously by us. At the same time, other customers will receive new versions through Tansa Update or by contacting us directly at support@tansa.com. We can help you install the update.