Log4j Vulnerability

Updated March 1, 2022

As you may know, multiple vulnerabilities within the Apache Log4j tool have been identified, tracked as  CVE-2021-44228, CVE-2021-45046CVE-2021-44832,  and CVE-2021-45105. 

 Log4j is a logging framework created by Apache and used widely across several products and services.

Our internal teams have been conducting full impact assessments for each vulnerability and have found no evidence of successful exploitation. In addition, our teams have performed a corresponding analysis of our code as well as testing of each of these vulnerabilities. 

At this time, our analysis shows the following: 

Product/Service Status 
Imagine Trading System – InfrastructureNot vulnerable.
MyImagine Not vulnerable.
Risk Aggregator Not vulnerable.
Margin Analysis complete: Temporary mitigation in place, patching in progress. 
RRC  Analysis complete: Temporary mitigation in place, patching in progress. 
Risk Batch Web Services – Client Fully patched. Client Installer (IWS 1.2.26) is available.
Risk Batch Web Services – InfrastructureFully patched.
Risk Infrastructure Services Analysis complete: Temporary mitigation in place, patching in progress. 
Trading Infrastructure Services Fully patched. 
TCA Fully patched. 
TSNext Fully patched. 
TradeSmart Client Portal Fully patched. 
TradeSmart Clients can address these vulnerabilities by doing one of the following:

  • Downloading and installing the most recent TradeSmart version (2021.7.3 or higher) (available by request from Support).
    otherwise
  • If you do not wish to upgrade, you alternatively can mitigate any risk by navigating to your TradeSmart install directory (e.g., C:\TradeSmart\tradesmart-prod-<version>\bin) and edit both of the .vmoptions files, adding the following entry to the end of the file (making sure it is displayed on a new line):
    -Dlog4j2.formatMsgNoLookups=true

This will disable the functionality in log4j that allows the exploit CVE-2021-44228 to occur. There is no risk from CVE-2021-44832, CVE-2021-45046, or CVE-2021-45105 in any TradeSmart version as TS Imagine does not utilize any of the elements/code calls that expose the listed vulnerabilities.

Additionally: 
  • JDBC Appender Vulnerability – TS Imagine products and services are not vulnerable to the JDBC Appender issue. We are currently reviewing potential vulnerabilities with our third-party vendors and requesting updates on their patching status.
  • TS Imagine has deployed additional protections to block external attacks. 
  • TS Imagine is implementing all recommended 3rd party mitigation efforts. 
  • If TS Imagine becomes aware of unauthorized access to customer data, we will notify impacted customers without delay.