Updated March 1, 2022
Log4j is a logging framework created by Apache and used widely across several products and services.
Our internal teams have been conducting full impact assessments for each vulnerability and have found no evidence of successful exploitation. In addition, our teams have performed a corresponding analysis of our code as well as testing of each of these vulnerabilities.
At this time, our analysis shows the following:
|Imagine Trading System – Infrastructure||Not vulnerable.|
|Risk Aggregator||Not vulnerable.|
|Margin||Analysis complete: Temporary mitigation in place, patching in progress.|
|RRC||Analysis complete: Temporary mitigation in place, patching in progress.|
|Risk Batch Web Services – Client||Fully patched. Client Installer (IWS 1.2.26) is available.|
|Risk Batch Web Services – Infrastructure||Fully patched.|
|Risk Infrastructure Services||Analysis complete: Temporary mitigation in place, patching in progress.|
|Trading Infrastructure Services||Fully patched.|
|TradeSmart Client Portal||Fully patched.|
|TradeSmart||Clients can address these vulnerabilities by doing one of the following:|
This will disable the functionality in log4j that allows the exploit CVE-2021-44228 to occur. There is no risk from CVE-2021-44832, CVE-2021-45046, or CVE-2021-45105 in any TradeSmart version as TS Imagine does not utilize any of the elements/code calls that expose the listed vulnerabilities.
- JDBC Appender Vulnerability – TS Imagine products and services are not vulnerable to the JDBC Appender issue. We are currently reviewing potential vulnerabilities with our third-party vendors and requesting updates on their patching status.
- TS Imagine has deployed additional protections to block external attacks.
- TS Imagine is implementing all recommended 3rd party mitigation efforts.
- If TS Imagine becomes aware of unauthorized access to customer data, we will notify impacted customers without delay.