Back to QMetry All Products Help Page
Log4j security vulnerability patch (CVE-2021-45046) - Linux server instances
This patch is specific to QMetry Test Management App and Reports installed over on-premises Linux Server instances
QMetry recently released a security advisory for the recently published remote code execution 0-day vulnerability CVE-2021-44228 affecting the widely used Apache log4j logging library. It was found that the fix issued by apache to address this vulnerability in log4j 2.15.0 was incomplete and had a newer vulnerability reported by CVE-2021-45046.
The following steps are required to further patch the log4j vulnerability.
Reference: Apache Log4j Security Vulnerabilities
For QMetry Test Management - Cloud/SaaS Customers
This vulnerability has been mitigated for all the QTM cloud instances. QMetry cloud customers are not vulnerable anymore, and no action is required.
For QMetry Test Management - Server Customers
Upgrade the QMetry Application to the latest version 8.9.0.3. With this upgrade, the apache Log4J core and API files will be updated to v2.17.1 on the QMetry application and v2.16.0 for QMetry Reports, thereby mitigating the critical vulnerabilities.
You can request upgrade downloads and steps by reaching out to QMetry Support with your server OS and current QMetry version by sending an email to qtmprofessional@qmetrysupport.atlassian.net or via Support Portal.
Back to QMetry All Products Help Page