Advisory on log4j Vulnerability Mitigation for Temenos Journey Platform Products

Temenos Journey Manager (TJM), including Maestro, Analytics, and custom form spaces, all use log4j. Depending on TJM version, each is using log4j v2.14.x, which has recently had a vulnerability detailed. Our attempts to exploit this vulnerability within TJM have not been successful. However, we have decided to apply the mitigation anyway since there's the potential for this vulnerability to have a wide impact.

On Sunday, 12 Dec 2021, between 12 PM AEDT and 6 PM AEDT, we deployed the recommended mitigation to all production and non production TJM instances, in all managed regions, on all hosted locations (AWS, Azure and private cloud). We restarted all TJM applications for the change to take effect.

VDC and VDC+ customers have additional protection due to outbound traffic control that we have in place where only outbound traffic to specific ports requested by clients are allowed. There is also outbound URL restriction, where TJM only allowed to make outbound calls to URLs in an allow list.

Please note that vulnerability in question is fixed in log4j v2.15.0 and later. However, a mitigation can be applied to previous versions until the library is upgraded in TJM. 

Update for log4j issue

A new CVE-2021-45046 was raised against the log4j 2.15 version. This has a base score of low on https://nvd.nist.gov/vuln/detail/CVE-2021-45046  and requires the JndiLookup.class to be exploited.

Our scans show that this is not used by our clients and therefore no action is required. We will be providing a library upgrade to latest log4j (2.17.0 - 21 Dec 21) in the next major release of Journey Manager 22.04.

If you require more information, please contact our support team.