Back to QMetry All Products Help Page
QMetry Security Advisory - Log4j - CVE-2021-44228
Note: This page contains information for QMetry Test Management (Standalone/Enterprise) Cloud and Server users.
What is the issue?
On December 9th, a 0-day exploit in the popular Java logging library
log4j2
was discovered that results in Remote Code Execution (RCE) by logging a certain string. As per the CVE standard, it has been ranked with a score of 10.0 (highest). Hence the impact of this vulnerability is considered severe.
How is QMetry affected by the issue?
Log4j2 is one of the most popular logging libraries used in Java applications. QMetry also uses the Log4j2 library in the QMetry Test Management application along with other add-ons and utilities. QMetry applications are hence impacted by this vulnerability.
How is QMetry addressing the issue?
For QMetry Test Management - Cloud/SaaS Customers
This vulnerability has been mitigated for all the QTM cloud instances on Dec 14th, 6:00 am PST. QMetry cloud customers are not vulnerable anymore, and no action is required.
For QMetry Test Management - Server/On-Premise Customers
QMetry has taken immediate steps to address this vulnerability by releasing a hotfix. Apache has released a fix for addressing this vulnerability with log4j2 v2.15.0. QMetry has replaced the current version of Log4j2 with version 2.15.0. We request all our server customers to apply the following fix to the QMetry applications. There are two solutions available for QMetry server customers.
Update the existing QMetry application – Follow the update process instructions and execute a set of commands to upgrade the log4j2 library in the existing instance.
Upgrade to the latest version of QMetry - Upgrade the QMetry application to the latest version v8.9.0.2 that includes the fix to address the vulnerability. Send an email to qtmprofessional@qmetrysupport.atlassian.net by mentioning the current QMetry version. QMetry Support will provide the upgrades guide and packages.
References
Please contact QMetry Support for more information at qtmprofessional@qmetrysupport.atlassian.net.
Back to QMetry All Products Help Page