Update (01-03-2022): The newest Log4j issue (CVE-2021-44832) appears to pose relatively low risk to QuerySurge itself, as it requires server access for the attack. This is remediated in Log4j 2.17.1. (Released in QuerySurge v.10.0.0)
Update (12-28-2021): The Log4j project released Log4j 2.17.1 to patch CVE-2021-44832 (rated CVSS v3 6.6). (Released in QuerySurge v.10.0.0)
Update (12-22-2021): QuerySurge 9.2.19 patches Log4j vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44228. See below for details and downloads.
Is QuerySurge affected by the Log4j 2 vulnerability (CVE-2021-44228)?
This vulnerability affects QuerySurge core components versions 9.0 - 9.2. We have released patches in response to this issue and follow-on issues (see the History table at the end of this article for our current Log4j patch history). If you are on one of these versions, we suggest, in the strongest terms possible, that you upgrade immediately (see below for download links). If you are on an earlier version (8.2 or below), your QuerySurge core components are not affected by the vulnerability and can continue using QuerySurge safely, with regards to the Log4j issues.
Is QuerySurge affected by the second Log4j 2 vulnerability (CVE-2021-45046)?
This vulnerability affects QuerySurge core components versions 9.0 - 9.2. We have released patches in response to this issue and follow-on issues (see the History table at the end of this article for our current Log4j patch history. If you are on one of the potentially affected versions, we suggest, in the strongest terms possible, that you upgrade immediately (see below for download links). If you are on an earlier version (8.2 or below), your QuerySurge core components are not affected by the vulnerability and can continue using QuerySurge safely, with regards to the Log4j issues.
Is QuerySurge affected by the third Log4j 2 vulnerability (CVE-2021-45105)?
This vulnerability could affect QuerySurge core components versions 9.0 - 9.2. Based on our preliminary investigation, QuerySurge has a low risk regarding this vulnerability (a DOS attack vulnerability), since QuerySurge should only be deployed behind an organization's firewall. A DOS attack would therefore have to come from inside the firewall. However, out of an abundance of caution, we have released a patch. See the History table at the end of this article for our current Log4j patch history. If you are on one of the potentially affected versions, we strongly suggest that you upgrade immediately (see below for download links). If you are on an earlier version (8.2 or below), your QuerySurge core components are not affected by the vulnerability and can continue using QuerySurge safely, with regards to the Log4j issues.
What if I use a version of QuerySurge prior to the affected versions?
Unrelated to these Log4j 2 issues (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105), we strongly recommend upgrading to the latest version (see below for download links), as this version has the latest features and security updates.
Does QuerySurge use Log4j v1?
QuerySurge does deploy an older version of Log4j (v1.2.15) in the Agent JDBC directory. This is required by the CSV and XML JDBC drivers that QuerySurge ships with. Log4j v1 does not appear to be affected by CVE-2021-44228 and related vulnerabilities. However, since Log4j 1 has reached end of life and is no longer supported, out of an abundance of caution, we have, starting with the QuerySurge 9.2.17 patch release, replaced this library with a stub library that enables the drivers to work (but supports no logging or other functionality). See this article for additional details.
Links
National Vulnerability Database (NVD) - CVE-2021-44832
National Vulnerability Database (NVD) - CVE-2021-44228
National Vulnerability Database (NVD) - CVE-2021-45046
National Vulnerability Database (NVD) - CVE-2021-45105
Patch Release Download for Log4j vulnerability (QuerySurge 10.0.13)
QuerySurge 2021 - Windows 64-Bit
Installer for QuerySurge Version 10.0.13- EXE
Download the Installer
MD5 checksum
QuerySurge 2021 - Linux 64-Bit
Installer for QuerySurge Version 10.0.13- RUN
Download the Installer
MD5 checksum
QuerySurge 2021 - Dockerized QuerySurge Agent
QuerySurge Version 10.0.13 - Dockerized Agent
QuerySurge Agent Image on Docker Hub
See our Knowledge Base Article
| History | ||
| Date | Event | Comment |
| 04-01-2022 | Release of QuerySurge patch for CVE-2021-44832 | QuerySurge v 10.0.0 (patch to Log4j 2.17.1) |
| 12/30/2021 | Re-evaluation of CVE-2021-45105 (CVSS v3 base score 5.9) | Medium severity |
| 12/28/2021 | Announcement of CVE-2021-44832 (CVSS v3 base score 6.6) | Medium severity |
| 12/22/2021 | Release of QuerySurge patch for CVE-2021-45105 | QuerySurge v 9.2.19 (patch to Log4j 2.17.0) |
| 12/17/2021 | Announcement of CVE-2021-45105 (CVSS v3 base score 7.5) | High severity |
| 12/17/2021 | Release of QuerySurge patch for CVE-2021-45046 | QuerySurge v 9.2.18 (patch to Log4j 2.16.0) |
| 12/17/2021 | Re-evaluation of CVE-2021-45046 (CVSS v3 base score 9.0) | Critical severity |
| 12/15/2021 | Announcement of CVE-2021-45046 (CVSS v3 base score 3.7) | Low severity |
| 12/15/2021 | Release of QuerySurge patch for CVE-2021-44228 | QuerySurge v 9.2.17 (patch to Log4j 2.15.0) |
| 12/9/2021 | Announcement of CVE-2021-44228 (CVSS v3 base score 10.0) | Critical severity |
Comments
0 comments
Article is closed for comments.