Security Updates

>Service Pack: 8.3.100  |  December 2021

>Service Pack: 8.3.002  |  December 2021

>Release: 8.3  |  November 2021

For the latest information regarding any older or newly-discovered issues, see:

https://cpl.thalesgroup.com/software-monetization/security-updates

Reporting a Security Vulnerability

If you think you have found a security vulnerability, please report it to Thales using the links in:

https://cpl.thalesgroup.com/software-monetization/security-updates

Service Pack: 8.3.100  |  December 2021

The Sentinel LDK 8.3.100 service pack upgrades the Apache Log4j module to version 2.17.0. This resolves several security vulnerabilities which are not applicable to any Sentinel LDK component.

Service Pack: 8.3.002  |  December 2021

The vulnerability listed below affects Sentinel LDK components. This vulnerability is resolved in Sentinel LDK Service Pack 8.3.002 and later.

>CVE-2021-44228 is a remote code execution vulnerability in Apache Log4j 2.12.0. This vulnerability is remotely exploitable without authentication. It can be exploited over a network without the use of a username and password. For more information, see https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

The Apache Log4j module is used by Sentinel LDK in the Sentinel LDK Activation sample for Java. (As a client-side application, the Activation sample for Java is not affected by this vulnerability.) The Sentinel LDK 8.3.002 service pack upgrades the Apache Log4j module to version 2.15.0, which resolves the vulnerability.

Release: 8.3  |  November 2021

There are no known security issues at the time of this release, and this release does not resolve any known security issues relating to Sentinel products.