Log4j Vulnerability

Updated March 1, 2022

As you may know, multiple vulnerabilities within the Apache Log4j tool have been identified, tracked as  CVE-2021-44228, CVE-2021-45046CVE-2021-44832,  and CVE-2021-45105. 

 Log4j is a logging framework created by Apache and used widely across several products and services.

Our internal teams have been conducting full impact assessments for each vulnerability and have found no evidence of successful exploitation. In addition, our teams have performed a corresponding analysis of our code as well as testing of each of these vulnerabilities. 

At this time, our analysis shows the following: 

Product/Service  Status 
Imagine Trading System – Infrastructure Not vulnerable.
MyImagine  Not vulnerable.
Risk Aggregator  Not vulnerable.
Margin  Analysis complete: Temporary mitigation in place, patching in progress. 
RRC   Analysis complete: Temporary mitigation in place, patching in progress. 
Risk Batch Web Services – Client  Fully patched. Client Installer (IWS 1.2.26) is available.
Risk Batch Web Services – Infrastructure Fully patched.
Risk Infrastructure Services  Analysis complete: Temporary mitigation in place, patching in progress. 
Trading Infrastructure Services  Fully patched. 
TCA  Fully patched. 
TSNext  Fully patched. 
TradeSmart Client Portal  Fully patched. 
TradeSmart  Clients can address these vulnerabilities by doing one of the following:

  • Downloading and installing the most recent TradeSmart version (2021.7.3 or higher) (available by request from Support).
    otherwise
  • If you do not wish to upgrade, you alternatively can mitigate any risk by navigating to your TradeSmart install directory (e.g., C:\TradeSmart\tradesmart-prod-<version>\bin) and edit both of the .vmoptions files, adding the following entry to the end of the file (making sure it is displayed on a new line): 
    -Dlog4j2.formatMsgNoLookups=true

This will disable the functionality in log4j that allows the exploit CVE-2021-44228 to occur. There is no risk from CVE-2021-44832, CVE-2021-45046, or CVE-2021-45105 in any TradeSmart version as TS Imagine does not utilize any of the elements/code calls that expose the listed vulnerabilities.
Additionally: 
  • JDBC Appender Vulnerability – TS Imagine products and services are not vulnerable to the JDBC Appender issue. We are currently reviewing potential vulnerabilities with our third-party vendors and requesting updates on their patching status.
  • TS Imagine has deployed additional protections to block external attacks. 
  • TS Imagine is implementing all recommended 3rd party mitigation efforts. 
  • If TS Imagine becomes aware of unauthorized access to customer data, we will notify impacted customers without delay.