Hi Team,
Is secure transport v5.2.1 and 5.3.3 also affected by apache log4j? If yes, please release advisories for this
https://support.axway.com/en/articles/article-details/id/181921/do/search
Dec 13, 2021 10:52 PM
Thanks, Riaz, for reporting this. We have created a ticket with Secunia Research to look into this. We will get back to you ASAP.
Dec 14, 2021 03:38 AM
We issued SA105537 for this. Essentially, the vendor had a partial conflicting statement there, which caused the confusion and triggered an inquiry to the vendor:
"Known attack vectors mitigated, and no direct vulnerability available. Possible impact exists due to log4j version."
So the vendor said both no direct vulnerability available but then said a possible impact exists.
After our inquiry, the KB was updated to state "Possible impact exists.", which then allowed us to issue SA105537.
Please note, we issued for 5.5 solely as other versions are stated as not being affected.
Dec 17, 2021 08:13 AM