Contrast has confirmed that Log4j vulnerability disclosed on Dec 10th has also affected all the security application also according to their advisory. Both SAAS and On-Premise versions are affected. All the SAAS (Cloud) applications has been patched to 2.16.0 version of log4j whereas for On-Premise version they have released patched versions which is recommended for the customers to get upgraded.
| Product | Versions | Status | Patched |
|---|---|---|---|
| Hosted SaaS Enviroments | All | Vulnerable | Patched |
| Java Agent | All | Not Vulnerable | Patched |
| On-premises (EOP) Environments | All | Vulnerable | Patched |
| Scan | All | Vulnerable | Patched |
Customers of On-Premises EOP Environments are recommended to upgrade to 3.8.10.1566200307 immediately whereas customers of Scan products should upgrade to version 0.0.124. In addition to these upgrades, the EOP customers can also add the following lines in the file contrast-server.vmoptions in the bin folder
-Dcom.sun.jndi.rmi.object.trustURLCodebase=false<br>-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false<br>-Dlog4j2.formatMsgNoLookups=true