The recently reported Apache Log4j 2 security issues (CVE-2021-44228 and CVE-2021-45046, CVE-2021-45105) created some mess within the developers’ community. We got lots of people asking questions on how we escalated these issues here and there.
To be short: you are safe with any Qameta Software product. For details, please read the public product-specific breakdown below.
For additional details or assistance, please, contact [email protected].
Allure TestOps
Allure TestOps uses Logback for logging purposes. This means Allure TestOps in version 3.x is NOT affected by the reported log4j vulnerabilities.
It has log4j to slf4j bridge and Apache Log4j API jars in the classpath for libraries that may use log4j API for logging.
No action is needed. We still advise keeping your software upgraded to the latest version.
Allure TestOps JIRA Server plugin
Older JIRA Server installations may use log4j version 1.2.17. While the Qameta Software plugin does not use it, please, check your JIRA installations for vulnerabilities to avoid any issues.
Allure Report
While older versions of Allure Commandline (before 2.17.2) used log4j 1.2.17 they were not affected by the above 0-day vulnerabilities.
Anyway, to stay safe and calm, please, update Allure Report to version 2.17.2. The release provides log4j to Logback migration.
This upgrade will also eliminate any Apache Log4j 1.2.17 presence for all the Allure integrations and plugins.
Allure Bamboo Plugin / Allure Report JIRA Server plugin
Older Bamboo and JIRA Server installations may use Apache Log4j version 1.2.17.
While the Qameta Software plugin does not use it, please, check your JIRA installations for vulnerabilities to avoid any issues.
Learn more about Allure tools
Learn more about our products: Allure Framework and Allure TestOps, the ultimate DevOps-ready testing platform.
Subscribe to our Twitter feed, GitHub Discussions, or Telegram community (ru-only). It is a wholesome place to get help and stay up-to-date with the news.
