Apache Log4j Vulnerability Update

Service Bulletin

Our engineering team delivered a patch for all affected systems on Saturday, 12/11/21, and have updated our knowledge base with continuous updates.

On 12/15/2021, Apache found a second vulnerability in Log4j that affected the JndiLookup class. The Log4j patches released by Ephesoft on 12/11/21 also resolve this second vulnerability. Please refer to the link above for additional information.

The engineering team has also determined that in older versions of Transact, users may encounter the following Log4j-1*.jar files. These instances of Log4j1x are not affected by this vulnerability.

What happened?

A global and widespread critical vulnerability has been discovered in Apache Log4j, an open-source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on servers. Ephesoft addressed this vulnerability on Saturday, 12/11/2021 and made a security patch available to on-premise customers and partners to minimize risk. No incidents have been reported to date.

Affects

The security vulnerability affects 4.5 through 2020.1.06 versions of Transact. The Ephesoft engineering team has deployed a patch for on-premises users to resolve these vulnerabilities. Click here for instructions on how to install the patch.

All Transact Cloud customers have been patched as of 12/11/2021, 7:15pm PST.

Please contact Ephesoft Support for additional help.