Page History
...
- ApplicationInsights, ConnectionsExpert, iDNA, and iDNA Applications use some Log4j directly. We will remove Log4j completely to resolve this and reliably prevent any further issues.
- GreenLight, iDNA Applications, and OfficeExpert include Metabase which uses Log4j. We will update the Metabase version in all these products to a safe release.
Note | ||||
---|---|---|---|---|
| ||||
Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit). The more recently discovered CVE-2021-45046 requires Log4j 2.16.0 for which no Metabase release is available yet. If you are uncomfortable with CVE-2021-45046, you can manually turn off Metabase for now:
|
Overview and Status
Product | CVE-2021-44228 | Fix Status | Fix Release | CVE-2021-45046 | Fix Status (all CVEs) | Fix Release | How To Upgrade | ||
---|---|---|---|---|---|---|---|---|---|
ApplicationInsights | vulnerable - fix available | released - Dec 14 | 1.6.3 | vulnerable - fix available | released - Dec 14 | 1.6.3 | Upgrade ApplicationInsights (≥ v1.5.1) | ||
ConnectionsExpert 2.x | vulnerable - fix available | released - Dec 15 | 2.1.3 | vulnerable - fix available | released - Dec 15 | 2.1.3 | Upgrade ConnectionsExpert (> v2.0) | ||
ConnectionsExpert 3.x | vulnerable | in testing | 3.0.2 | vulnerable | in testing | 3.0.2 | Upgrade ConnectionsExpert (> v2.0) | ||
GreenLight | vulnerable - fix available | released - Dec 15 | 4.5.0 | vulnerable - fix available | released - Dec 15 | Upgrading GreenLight - only for >=3.5.x | |||
Metabase potentially vulnerable 1) | waiting for Metabase | 4.5.1 | |||||||
iDNA | vulnerable | in testing | 2.11.1 | vulnerable | in testing | 2.11.1 | please contact support | ||
iDNA Applications | vulnerable - fix available | released - Dec 13 | 2.1.2 | vulnerable - fix available | released - Dec 13 | 2.1.2 | Upgrading iDNA Applications | ||
Metabase potentially vulnerable 1) | waiting for Metabase | 2.1.3 | |||||||
MarvelClient | safe | safe | |||||||
OfficeExpert | vulnerable - fix available | released - Dec 14 | 4.3.3 | vulnerable - fix available | released - Dec 14 | 4.3.3 | Upgrading OfficeExpert | ||
Metabase potentially vulnerable 1) | waiting for Metabase | 4.3.4 | |||||||
OfficeExpert EPM | safe | safe | |||||||
SecurityInsider / GroupExplorer | safe | safe | |||||||
SmartChanger | safe | safe | |||||||
Document Properties Plugin | safe | safe | |||||||
LogViewer Plugin | safe | safe | |||||||
Network Monitor Plugin | safe | safe | |||||||
PrefTree Plugin | safe | safe | |||||||
Tabzilla Plugin | safe | safe | |||||||
Timezone Helper Plugin | safe | safe |
1) See info box "Regarding Metabase" above the table
Note | ||||
---|---|---|---|---|
| ||||
Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit). The more recently discovered CVE-2021-45046 requires Log4j 2.16.0 for which no Metabase release is available yet. If you are uncomfortable with CVE-2021-45046, you can manually turn off Metabase for now:
|
What happens now? What do I need to do?
...