Skip to main content
Mitratech Success Center

TeamConnect Log4j Vulnerability Remediation

TeamConnect Log4j Remediation


TeamConnect Hosted Updates 

Last update:  Jan-07-2022 10:30 AM CT

Mitratech has concluded its initial investigations on its applications and infrastructure. Mitratech is continuing to remediate its hosting environments as needed per changing guidance. Please contact Mitratech Support if any questions.

Please see the following updates for our 3rd party Hosted TeamConnect Integrations.

  • SAP Business Objects – SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228
  • TCBI – Remediated on 2021-Dec-13
  • ElasticSearch - Remediated on 2021-Dec-10
  • SAML: Log4j 1.X is used for SAML TeamConnect and therefore not vulnerable
  • Data Warehouse - Log4j 1.x is used for Data Warehouse for TeamConnect and is not vulnerable. 

TeamConnect On Premise Updates for CVE-2021-44228 (ACTION REQUIRED BY CUSTOMER)

Last update:  May-06-2022 15:38 PM CT

In regard to vulnerabilities in CVE-2021-44228, on-premise installations of TeamConnect may contain modules of log4j 2.X, depending on the version. Log4j 2 mitigations in TeamConnect are below.

TeamConnect 6.3.5 (available now) no longer includes the vulnerable log4j 2.x core files. It does still include the log4j-api 2.11.1 jar (controlled by ElasticSearch) which is not impacted by the vulnerability.  TC 6.3.5 and higher are therefore not impacted by the CVE-2021-44228.  However, manual remediation for log4j-api is achievable by following the steps below, if so desired.

TeamConnect 6.3.6  includes both log4j-core and log4j-api 2.17.1 files.

Manual Remediation for TeamConnect 6.3.4 or lower and third party integrated applications:

Instructions for remediation of log4j 2.x for integrated applications provided by Mitratech are listed in Step 3.

Please note that guidance may change as we receive continued updates from our vendors and third parties

STEP 1:  Replace affected log4j 2.x files:

  • Stop your instance of TeamConnect
  • Using a ZIP utility, locate and remove log4j-api*.jar and log4j-core*.jar in the WEB-INF\lib\ folder located in the .war archive file.




STEP 2:  Verify log4j 1.x JMS appender is not enabled:

Log4J 1.X is used for TeamConnect, but is not specifically vulnerable to CVE-2021-44228 unless the JMS Appender is enabled. This is not enabled by default in Log4j 1.X.

  • Located WEB-INF\classes
  • Open the file and validate that JMS Appender has not been configured
  • Search for log4j.appender.jms*

While Mitratech's immediate focus is on remediating Log4J 2.X issues, Mitratech is assessing Log4J 1.X, and the existence of other vulnerabilities in 1.X will be addressed in a future release.


STEP 3:  Address 3rd Party products as needed:

Please check the following Vendors for remediation guidance for these integrations into TeamConnect:


CVE-2021-4104 (Log4j 1.x)

TeamConnect:  Log4j 1.x fully removed from TeamConnect as of 6.3.5 patch 1 and replaced with reload4j

SAML - a release of the SAML module which replaces log4j 1.x with reload4j will be available in Q2 2022; dates will be updated as they become available.

Data Warehouse - a release of the SAML module which replaces log4j 1.x with reload4j will be available in Q2 2022; dates will be updated as they become available.



  • Was this article helpful?