Note: This page contains information for QMetry Test Management for Jira Cloud, Server and Datacenter users.

What is the issue?

• On December 9^th, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. As per the CVE standard, it has been ranked with a score of 10.0 (highest). Hence the impact of this vulnerability is considered severe.

Is the QTM4J app affected by the issue?

QMetry Test Management - Server and Datacenter - No

• The QMetry for Jira Server or Data Center apps are not impacted by this vulnerability.

QMetry Test Management - Cloud - Yes

• Log4j2 is one of the most popular logging libraries used in Java applications. QMetry also uses the Log4j2 library in the QMetry Test Management for the Jira Cloud app. QTM4J Cloud application is hence impacted by this vulnerability.

How is QMetry addressing the issue?

For QMetry Test Management - Cloud/SaaS Customers

• This vulnerability has been mitigated for all the QTM4J cloud instances on Dec 16^th, 8:30 pm PST. QMetry cloud customers are not vulnerable anymore, and no action is required.

References

• https://logging.apache.org/log4j/2.x/security.html

Please contact QMetry Support for more information at qmetryforjira@qmetrysupport.atlassian.net.