Note: This page contains information for QTM4J app - Cloud, Server, and Datacenter users.
On December 9th, a 0-day exploit in the popular Java logging library log4j2
was discovered that results in Remote Code Execution (RCE) by logging a certain string. As per the CVE standard, it has been ranked with a score of 10.0 (highest). Hence the impact of this vulnerability is considered severe. Reference - https://logging.apache.org/log4j/2.x/security.html
Log4j is one of the most popular logging libraries used in Java applications. QTM4J cloud app also uses this library and was impacted by this vulnerability. This vulnerability has been mitigated for all the QTM4J cloud instances. QTM4J cloud customers are not vulnerable anymore, and no action is required.
Log4j Vulnerability | Mitigation Date |
---|---|
CVE-2021-44228 | Dec 15th, 9:00 pm PST |
CVE-2021-45046 | Dec 21st, 3:00 am PST |
CVE-2021-45105 | Dec 21st, 3:00 am PST |
The QTM4J Server and Data Center apps are not impacted by this vulnerability and hence no action is required.
Please contact QMetry Support for more information at qtmfj@qmetrysupport.atlassian.net.