Fixing log4j vulnerability in T.Commander
A zero-day vulnerability (CVE-2021-44228) has been discovered in Apache Log4j library which, if exploited, could permit a remote attacker to execute arbitrary code on vulnerable systems. This vulnerability impacts T.Commander 126.96.36.199 and earlier versions.
Log4j dependency has been removed in T.Commander release 188.8.131.52-2-g424e9089. We strongly recommend that you update T.Commander to the latest version (184.108.40.206 or later) as soon as possible.
To update T.Commander, open a ticket at TASSTA Help Center.
As a temporary workaround, you can do one of the following:
- If possible, block all connections from the Internet to the port 4321 on the server where T.Commander is deployed. You can still configure TASSTA services through T.Commander web interface from local computers.
- Restrict access to the port 4321 on the server where T.Commander is deployed for all but trusted IP addresses.
IP address restriction should only be considered as a short-term solution! Client IP address is specified in network packets sent by the client, and this information is easily spoofed.
- Stop T.Commander service by running
stop-commander. It will not affect client connectivity, but you will be unable to configure TASSTA services through T.Commander web interface.