The Tungsten products use a number of 3rd Party libraries, such as log4j. From time to time
security vulnerabilties are identified in these libraries. When this occurs, we investigate the implications
and where possible provide updated libraries.
In some cases, we cannot back-port newer libraries into older releases, and upgrading Tungsten would be the only option to mitigate these 3rd party vulnerabilities.
This page outlines the current known vulnerabilities and the actions taken by Continuent to mitigate the risk.
Tungsten Versions 7.0.1+ embed Log4j v2.24.2 libraries where the following issues are found:
The affected SocketAppender* classes are not called by the Tungsten software, however Security Scanners will not be aware of this and will still highlight the risk.
If you are running version 7.0.1 or later, you can safely upgrade the log4j libraries to the latest stable version 2.25.3 which will mitigate this risk.
From version 8.0.3, this upgraded library is included.
If you are running older versions of Tungsten using the v1 log4j libraries, you will need to consider upgrading to a release using v2 and then manually upgrade, or upgrade directly to v8.0.3.
Tungsten Versions up to 6.1.16 + version 7.0.0 embed log4j-1.2.17.jar where the following issues are found:
CVE-2019-17571
CVE-2020-9488
CVE-2020-9493
CVE-2022-23302
CVE-2022-23307
CVE-2022-23305
With the following conditions:
The affected application must be using the vulnerable SocketServer class from Log4j 1.2 and must be configured to listen for logging data over the network. Additionally, deserialization gadgets must be present in the application's classpath for successful exploitation.
The affected application must be specifically configured to use the JMSSink component, which is not the default configuration in Log4j 1.x. The vulnerability is only present when JMSSink is enabled and configured.
The affected application must be using the Chainsaw component that was included as part of Log4j 1.2.x.
The affected application must be configured to read serialized log events in Chainsaw. This is a specific configuration that enables the vulnerability.
The affected application must be specifically configured to use the JDBCAppender in Log4j 1.2.x. This is not the default configuration, so only applications that have explicitly enabled this component are vulnerable.
Since later versions of log4j are not backwards compatible, we have created a “secured” version of this library, named
log4j-1.2.17-secure.jar
The secure version is included in v6.1.18 onwards, with the exception of v7.0.0. v2 of log4j is included from v7.2.0 onwards
While this version of the library IS secure, Software Security Scanners will generally report it as a threat, as they don’t inspect the contents of the jar file.
Here are details on how we secured the library:
CVE-2019-17571: SocketServer and SocketAppender* classes removed
CVE-2022-23302: JMSSink and JMSAppender classes removed
CVE-2022-23307 and CVE-2020-9493: org/apache/log4j/chainsaw/*.class removed
CVE-2022-23305: JDBCAppender class removed
CVE-2020-9488: SMTPAppender class removed
The following vulnerabilities have been identified in the Jackson libraries v2.13.0 shipped with Tungsten up to 7.2.0:
CVE-2021-46877
CVE-2022-42003
CVE-2022-42004
CVE-2023-35116
CVE-2025-52999
These threats do not affect / are not exposed to the client application as the the libraries are only used for internal JSON conversions with known data, generated by Tungsten, but might be detected by security scanners.
The cure is to replace the 3 jars named jackson* with the 2.20 and 2.20.1 ones, since they are backwards compatible.
Updated libraries can be downloaded from the following links:
After obtaining the updated files, you should copy them into your software staging directory for your current installed release, and then proceed to issue an update, for example:
shell>cp jackson* /opt/continuent/software/tungsten-replicator-7.0.3-141/cluster-home/libshell>cd /opt/continuent/software/tungsten-replicator-7.0.3-141shell>tools/tpm update --replace-release