NOTE: On December 15, 2021 Log4j released a new update that fixed a problem that was missed with the December 10, 2021 update. This alert 'CVE-2021-45046' was fixed in log4j 2.16.0. QIE updated to this new version of log4j and releeased QIE version 18.104.22.16806 with this fix.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. This vulnerability is in Apache Log4j’s Java Naming Directory Interface (JNDI), used in the default configuration of log4j. The vulnerability allows arbitrary code to be loaded and executed from an attacker-controlled LDAP server.
At the time of the NIST notification, QIE versions 22.214.171.12446 - 126.96.36.19957 were using log4j 2.13.1, exposing these versions of QIE to the vulnerability. All releases of QIE prior to 188.8.131.5246 were using an older version of log4j which is not exposed to this vulnerability.
Upon learning of the NIST notification, we immediately began working on a patch to the log4j libraries, upgrading them to the 2.15.0 release of log4j, which was released by Apache specifically to address this vulnerability. The QIE upgrade was completed on the same day, and we entered our testing and validation phase. As of Wednesday, December 15th, 2021, all tests had passed, and the patch was released - QIE version 184.108.40.20606.
We strongly recommend that all QIE installations be upgraded as soon as possible to mitigate the risk of exposure to this vulnerability. To upgrade your existing environment please execute the following steps:
1) Log into your QIE console and navigate to "System Administration" -> "System Configuration" page
2) Under the "QIE Update Status" field set, select the "Check Now" option
Once you select this option you should see a new available build of version 220.127.116.1106 or greater.
3) Click on the 'Download Now" button. This will download the updated version of QIE to your local installation and prepare it for installation. Wait for the download to complete and show up in the "Downloaded" column.
4) Click on "Install Now". This will restart your QIE service with the updated version of QIE. Once this is completed, you will be running the latest version of QIE and will not be exposed to the CVE-2021-4428 log4j JNDI vulnerability.
NOTE: Updating QIE typically takes 2 to 5 minutes to complete, depending on the size of the database. The QIE service will be down during this upgrade process.
If for any reason you are unable to download and install this update, or if you have any concerns with doing this upgrade, please contact Qvera support.
NOTE: If you are running QIE in a containerized environment, such as Kubernetes, you will need to upgrade to the latest version of QIE by updating the image tag in your configuration to "qvera/qie:18.104.22.16806". If you need assistance with this upgrade, please contact Qvera support.