QA Tools not affected by Log4Shell vulnerability

Last edited on


As stated by our parent company: the software quality assurance tools Squish, Coco and Test Center are not affected by the Log4Shell vulnerability.


Log4Shell is a high-severity vulnerability found in the log4j logging framework. Affected versions of the framework allow attackers to execute code on remote systems.

The vulnerability was assigned the identifier CVE-2021-44228 and become public on December 10, 2021.

None of our products has been including or using the affected framework.

False positive

The Squish IDE is based on the Java-based Eclipse framework. As such, a Squish installation contains the following file:


The file name ant-apache-log4j.jar may suggest a copy of the vulnerable log4j library. However, the file is just an adaptor to log4j. The adaptor is not used and the affected log4j library needed for it to function is not bundled with Squish.