Skip to main content
Common Reference

Log4j 2.x Security Vulnerabilties

Known Issue

Affecting versions 7.0.1+ up to 8.0.2.

Tungsten Versions 7.0.1+ embed Log4j v2.24.2 libraries where the following issues are found:

The affected SocketAppender* classes are not called by the Tungsten software, however Security Scanners will not be aware of this and will still highlight the risk.

If you are running version 7.0.1 or later, you can safely upgrade the log4j libraries to the latest stable version 2.25.3 which will mitigate this risk.

From version 8.0.3, this upgraded library is included.

If you are running older versions of Tungsten using the v1 log4j libraries, you will need to consider upgrading to a release using v2 and then manually upgrade, or upgrade directly to v8.0.3.