Log4j security vulnerability patch (CVE-2021-45046) - Linux server instances

QMetry recently released a security advisory for the recently published remote code execution 0-day vulnerability CVE-2021-44228 affecting the widely used Apache log4j logging library. It was found that the fix issued by apache to address this vulnerability in log4j 2.15.0 was incomplete and had a newer vulnerability reported by CVE-2021-45046.

The following steps are required to further patch the log4j vulnerability.

Reference: Apache Log4j Security Vulnerabilities

For QMetry Test Management - Cloud/SaaS Customers

This vulnerability has been mitigated for all the QTM cloud instances. QMetry cloud customers are not vulnerable anymore, and no action is required.

For QMetry Test Management - Server Customers

Upgrade the QMetry Application to the latest version 8.9.0.3. With this upgrade, the apache Log4J core and API files will be updated to v2.17.1 on the QMetry application and v2.16.0 for QMetry Reports, thereby mitigating the critical vulnerabilities.

You can request upgrade downloads and steps by reaching out to QMetry Support with your server OS and current QMetry version by sending an email to qtmprofessional@qmetrysupport.atlassian.net or via Support Portal.