Fixes around the Apache log4j library

A vulnerability has been found in the Apache log4j logging library: https://www.cve.org/CVERecord?id=CVE-2021-44228 and https://www.cve.org/CVERecord?id=CVE-2021-45046 and https://www.cve.org/CVERecord?id=CVE-2021-45105.

It affects Squash TM, Xsquash Cloud and Squash TF.

Squash TM

Concerning Squash TM, corrections are available for all maintained versions, they include the log4j update to version 2.17.

The corrective versions are the following:

These versions also fix the vulnerability for plugins, including the Squash AUTOM and Squash DEVOPS plugins.

This update is iso functional, so it is transparent to your users. If you are running version 1.21, 2.0 or 2.1, this correction only requires updating the application.

For version 1.22, if you have a version lower than 1.22.5, then an update of the database is also necessary. If you have version 1.22.5 or higher, then only the application update is required.

All versions of Squash are affected, but only the supported versions have the correction. Therefore, if you are using a version prior to 1.21, we invite you to upgrade to at least 1.21.7.

We strongly recommend that you upgrade as soon as possible.

This vulnerability does not impact Docker installations.

Xsquash Cloud

New versions of Xsquash Cloud for Jira Cloud are also available. If you have an Xsquash Cloud hosted at Henix, it has already been updated by us.

Xsquash plugins for Jira Server and Data Center are not impacted.

Squash TF

For Squash TF, here is the procedure to follow (to be done in the container in case of a Docker deployment):

1) Download the new libraries:

2) In the installation directory of the server/agent, go to the apache-maven-3.5.0/lib/ext directory.

You should have something similar to this :

3) Delete the 3 existing jar files and replace them with the downloaded ones.

The docker images of the TF agents are not impacted:

Squash Orchestrator

Squash Orchestrator, and OpenTestFactory that it includes, are not impacted.