Any word on whether PVCS version manager 8.6.2 is affected
Cybersecurity
DevOps Cloud
IT Operations Cloud
If an answer to your question is correct, click on "Verify Answer" under the "More" button. The answer will now appear with a checkmark. Please be sure to always mark answers that resolve your issue as verified. Your fellow Community members will appreciate it!  Learn more
Any word on whether PVCS version manager 8.6.2 is affected
The certool command line utility that ship with PVCS VM is affected by this CVE, but exploit it requires social engineering or other techniques whereby someone executes a malicious certtool
command on behalf of the attacker.
Fully summary of the issue, and steps to mitigate the small attack vector, can be found here:
http://knowledgebase.serena.com/InfoCenter/index?page=content&id=S143608
You're very welcome. I hope you can shake the other monkeys off as well ;-)
As a heads up: KB article S143608 has been updated with the latest guidance to use log4j 2.16.0 and now applies to CVE-2021-44228 and CVE-2021-45046.
Oh just sent you pm, Obviously 2.17 is now the way to go. Fine the certtool is one thing. But now there's https://nvd.nist.gov/vuln/detail/CVE-2021-4104 with relation to 1.x. Now what!?
No need to worry. Exploiting that issue in log4j 1.x requires someone to define a specific configuration using a JMSAppender, which is neither the default in the log4j package nor how it is used by PVCS VM.