TASSTA Documentation Center TASSTA Documentation Center More products
Hide table of contents Hide details Search My account

Fixing log4j vulnerability in T.Commander

A zero-day vulnerability (CVE-2021-44228) has been discovered in Apache Log4j library which, if exploited, could permit a remote attacker to execute arbitrary code on vulnerable systems. This vulnerability impacts T.Commander 3.5.5.0 and earlier versions.

Log4j dependency has been removed in T.Commander release 3.5.5.1-2-g424e9089. We strongly recommend that you update T.Commander to the latest version (3.5.5.1 or later) as soon as possible.

To update T.Commander, open a ticket at TASSTA Help Center.

As a temporary workaround, you can do one of the following:

  • If possible, block all connections from the Internet to the port 4321 on the server where T.Commander is deployed. You can still configure TASSTA services through T.Commander web interface from local computers.
  • Restrict access to the port 4321 on the server where T.Commander is deployed for all but trusted IP addresses.
Important:

IP address restriction should only be considered as a short-term solution! Client IP address is specified in network packets sent by the client, and this information is easily spoofed.

  • Stop T.Commander service by running stop-commander. It will not affect client connectivity, but you will be unable to configure TASSTA services through T.Commander web interface.