Blog
 

Apache 0 – day exploit hot-fix by QMetry

Punit Samtani
December 14, 2021
Banner Apache 0 – day exploit hot-fix by QMetry

1. What is the issue?

On December 9th, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. As per CVE standard, it has been ranked with the score 10.0 (highest). Hence the impact of this vulnerability is considered severe.

2. How is QMetry affected by the issue?

Log4j2 is one of the most popular logging libraries used in Java applications. QMetry also uses the Log4j2 library in the QMetry Test Management application along with other add-ons and utilities. QMetry applications are hence impacted by this vulnerability.

3. How is QMetry addressing the issue?

QMetry has taken immediate steps to address this vulnerability by releasing a hotfix. Apache has released a fix for addressing this vulnerability with log4j2 v2.15.0. QMetry has replaced the current version of Log4j2 with version 2.15.0. We request all our server customers to apply the following fix to the QMetry applications. Similar fix for the cloud version of the QMetry application will be applied by 9.00am PST on Dec 14th.

There are two solutions available for QMetry server customers

  1. Upgrade to latest version of QMetry – Upgrade the QMetry application to the latest version v8.9.0.2 that includes the fix to address the vulnerability.
  2. Update the existing QMetry application – Follow the update process instructions and execute a set of commands to upgrade the log4j2 library in the existing instance.

Please contact QMetry Support for more information at qtmprofessional@qmetrysupport.atlassian.net.

References:

Let’s get you started with QMetry®

Get Started

Trusted by teams across the globe for 10+ years

The QMetry brand is trusted by 1000+ customers globally across Finance, Healthcare, Travel, Hospitality, Retail, Education and many more.
These are just some of our customers.
Loading...