Dear Clients, Colleagues and Partners,
The TRUECHART team is aware of the recently published security vulnerability in Apache Log4j, reference CVE-2021-44228.
This vulnerability does not affect the latest TRUECHART application
- Log4j version 2.14.1 and prior is affected by this vulnerability, and versions above 2.15.0 are not as it was disabled by default;
- The latest releases of TRUECHART use version 2.15.0;
- You can confirm what version of log4j you are on, by going to the location below and checking the version number of the log4j jars;
Location of the log4j jar files:
*Note: the installation directory of TRUECHART may vary depending on if you customized the installation directory.
- The default location of TRUECHART is: C:\Program Files\High Coordination\Webapps\TRUECHARTService\WEB-INF\lib
- Inside the above lib folder, you will note a few jar files. The 2 you are specifically looking for is log4j-api-2.15.0.jar and log4j-core-2.15.0.jar
- If the version is below 2.15.0 then you are running an out of date version of TRUECHART;
- You can get the latest released version of TRUECHART on www.truechart.com . Please do be cognizant of the Qlik Sense TRUECHART compatibility when doing so .
Should you be on a TRUECHART version 2021.2.1 or older, it is recommended to update to 2021.3.0 that is available on our website. CLICK HERE to be directed to our User Portal for the download.
For detailed instructions on how to install TRUECHART, please CLICK HERE and navigate to our Knowledge Base.
Should you not be ready to upgrade to the most recent version of TRUECHART, it is recommended that you only update log4j jars to 2.15.0, this will not impact your functionality within TRUECHART, but will protect you against the reported vulnerability. Please CLICK HERE for detailed instructions on how to do this.
The link below may be used as a reference and a more detailed explanation of the CVE-2021-44228 log.
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”
Should you have any further questions or queries, please contact firstname.lastname@example.org
Stay up-to-date with TRUECHART. Follow us on LinkedIn.