QMetry Security Advisory - Log4j - CVE-2021-44228

Note: This page contains information for QMetry Test Management (Standalone/Enterprise) Cloud and Server users.

On December 9^th, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. As per the CVE standard, it has been ranked with a score of 10.0 (highest). Hence the impact of this vulnerability is considered severe.

Log4j2 is one of the most popular logging libraries used in Java applications. QMetry also uses the Log4j2 library in the QMetry Test Management application along with other add-ons and utilities. QMetry applications are hence impacted by this vulnerability.

This vulnerability has been mitigated for all the QTM cloud instances on Dec 14^th, 6:00 am PST. QMetry cloud customers are not vulnerable anymore, and no action is required.

QMetry has taken immediate steps to address this vulnerability by releasing a hotfix. Apache has released a fix for addressing this vulnerability with log4j2 v2.15.0. QMetry has replaced the current version of Log4j2 with version 2.15.0. We request all our server customers to apply the following fix to the QMetry applications. There are two solutions available for QMetry server customers.
- Update the existing QMetry application – Follow the update process instructions and execute a set of commands to upgrade the log4j2 library in the existing instance.
- Upgrade to the latest version of QMetry - Upgrade the QMetry application to the latest version v8.9.0.2 that includes the fix to address the vulnerability. Send an email to qtmprofessional@qmetrysupport.atlassian.net by mentioning the current QMetry version. QMetry Support will provide the upgrades guide and packages.

Please contact QMetry Support for more information at qtmprofessional@qmetrysupport.atlassian.net.