Welcome to the new Parasoft forums! We hope you will enjoy the site and try out some of the new features, like sharing an idea you may have for one of our products or following a category.
[Updated] Regarding log4j CVE-2021-44228 with Jtest
sang_parasoft
Posts: 27 admin
NIST recently released several Apache's log4j Zero-Day vulnerability cases, a very popular Java library to log messages in Java Applications.
CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- Parasoft products released this year (2021) include log4j 2.14.0 library. Parasoft confirms that these releases include vulnerability.
CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046)
- It has been confirmed that Parasoft products are not vulnerable as long as the default configuration provided with each release is in place
CVE-2021-45105 (https://nvd.nist.gov/vuln/detail/CVE-2021-45105)
- It has been confirmed that Parasoft products are not vulnerable as long as the default configuration provided with each release is in place
Jtest versions impacted:
- 2021.1
- 2021.2
The impacted releases include log4j 2.14.0.
Any older releases include log4j 1.x which are not impacted by this vulnerability.
Updated Release for Jtest
Updated Jtest is available on the Customer Portal Download page. Both include log4j 2.16.0 to address CVE-2021-44228.
- 2021.1.1 (Will be available on December 21, 2021)
- 2021.2.1 (Now available)
Workaround Solution for Jtest
The recommended approach for all products is to set an environment variable to mitigate the issue
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
MacOS
- Setting environment variables on MacOS: https://phoenixnap.com/kb/set-environment-variable-mac
Linux
- Setting environment variables on Linux: https://linuxize.com/post/how-to-set-and-list-environment-variables-in-linux/
Windows
- Setting environment variables on Windows: https://docs.oracle.com/en/database/oracle/machine-learning/oml4r/1.5.1/oread/creating-and-modifying-environment-variables-on-windows.html
Tagged:
0