Summary¶
As
stated
by our parent company: the software quality assurance tools Squish, Coco and
Test Center are not affected by the Log4Shell vulnerability.
Background¶
Log4Shell is a high-severity vulnerability found in the log4j
logging framework. Affected versions of the framework allow attackers
to execute code on remote systems.
The vulnerability was assigned the identifier CVE-2021-44228 and become public on December 10, 2021.
None of our products has been including or using the affected framework.
False positive¶
The Squish IDE is based on the Java-based Eclipse framework. As such, a Squish
installation contains the following file:bin/ide/plugins/org.apache.ant_1.10.1.v20170504-0840/lib/ant-apache-log4j.jar
The file name ant-apache-log4j.jar may suggest a copy of the
vulnerable log4j library. However, the file is just an adaptor to
log4j. The adaptor is not used and the affected log4j library needed
for it to function is not bundled with Squish.