Advisory: Critical vulnerability CVE-2021-44228 affecting the Apache Log4J library
KX is aware of a widely reported critical vulnerability (CVE-2021-44228) affecting the Apache Log4j library, where attackers can leverage log message or log message parameters to perform remote code execution on vulnerable systems.
It is recommended that customers who utilise Apache Log4j upgrade to version 2.15.0, which addresses this vulnerability.
As a critical vulnerability, we have reviewed the security of our platform. No vulnerable versions of the Log4j library have been uncovered within the KX software that has been shipped to customers. As always, the security of customers is of paramount importance. If and when further information becomes available, we will update this page accordingly. If you have concerns or questions please visit support.kx.com
We are proud to provide industry-acclaimed support for our customers, starting with free, onsite evaluations for qualified prospects with application requirements well-suited for KX technology.
We pride ourselves on being highly responsive to customer needs, typically responding to technical inquiries within minutes, and offering solutions within the day; these are responses from knowledgeable staff who are familiar with the code at a very deep level, not scripted responses from an outsourced support center.
Beyond this, we offer a full ecosystem of resources – of both the material and the human variety – that enhances the experiences of our customers.
Write to firstname.lastname@example.org or visit our Contact page.
If you work at a company that has licensed kdb+, you can join the k4 Topicbox group.
:fontawesome-solid-hands-helping: Designated Contacts
Licensed customers designate to KX staff members whom they have authorized to deal with kdb+ licenses, downloads and bug reports. Designated Contacts can reach us at the following addresses.
|Urgent license email@example.com|
|Suspected bug, unexpected firstname.lastname@example.org|
If you work at a company that has licensed kdb+, please refer to your internal support team, your Designated Contact, or the kdb+ Listbox.
Licensed customers of KX should report bugs in KX products to the email group email@example.com.
Other application errors or programming assistance requests should be referred to your company’s internal support groups or via the community support channels.
When reporting a bug please don’t just email one person directly. They may be unavailable and your report would go unseen; in any case that person would automatically forward it to firstname.lastname@example.org.
Include in the bug report:
the exact version of kdb+ being used. Including the start-up banner is the simplest way to do this:
KDB+ 3.5t 2017.02.28 Copyright (C) 1993-2017 Kx Systems m32/ 4()core 8192MB sjt mint.local 192.168.0.39 NONEXPIRE
If you aren’t using the latest version of kdb+, please confirm that the problem still occurs in the latest version (from downloads.kx.com) – the problem may already have been reported and fixed.
information about the OS being used, machine configuration and file system (if relevant).
- details of any external code (DLLs, user-written primitives) loaded into the problem session. If external code is being loaded into the session verify that the problem still occurs when it is not loaded.
- every KX customer has a designated technical contact – please copy them on the email.
- if appropriate, include contact details, and information about when it’s convenient to contact you.
- detailed list of steps to be taken to reproduce the error. Try to isolate the problem to a few lines of q and a tiny sample of data.
Don’t send complete applications, or commercially sensitive code or data!
Don’t send core-dumps unless requested: they are typically meaningful only on the machine where they were generated. If you know how to generate a backtrace from a core-dump, please do send us the backtrace.