LOG4J security issue for ATS like service

hgardon
hgardon
in TREP Infrastructure

Hello

We received the attached notice from Refinitiv : Log4j Vulnerability Update as of 15_30 GMT on 30th December 2021.pdf , and we would like to get some lights about the point related to Refinitiv Real-Time Advanced Transformation Server (ATS).

Basically, we had installed an ATS like service on our TREP infra (Real-Time Distribution System) and, from what I understood when we configured it with one of your collegue, it is not a real Advanced Transformation Server.
So my question is : is our current config impacted by the Log4j vulnerability ? If yes : how to fix it ?

Thanks,
Henri

Tagged:

Best Answer

  • Jirapongse
    Jirapongse
    Answer ✓

    @Henri.GARDON

    The PUB service doesn't have the Vendor element entry so it is possible that it is not a service from ATS.

    However, to confirm it, you need to contact your market data team to verify the source of this service.


Answers

  • Gurpreet
    Gurpreet

    Hi @Henri.GARDON,

    Can you please elaborate what you mean by "ATS like service". Log4J is a product specifically used in the ATS. If your RTDS service was configured using ADS etc, and not ATS specifically, then your infrastructure is not impacted by this vulnerability.

  • hgardon
    hgardon

    Basically, when we connect to our TREP infra, we have two services (via adhmon/adsmon):

    1641312319279.png

    IDN_RDF to retrieve real market data.
    PUB : ATS like service where we can publish our our data in some way with a command line like : ./rmdstestclient -S PUB -f post.txt -ir 1 -I 1 with post.txt containing RICs.

    I guess that we are not impacted, right ?

  • Gurpreet
    Gurpreet

    There can be a number of ways in which a publishing service can be setup in infrastructure. To be completely sure, please talk to your market data administrator and verify that you don't have ATS setup - to be sure.

  • wasin.w
    wasin.w admin

    Hello @Henri.GARDON

    According to the given PDF document, the product is the Refinitiv Real-Time Advanced Transformation Server (ATS), but your product in the capture screen is the Refinitiv Real-Time Advanced Distribution Hub (ADH) which is a totally different product.

    I highly recommend you contact the ADH support team directly to verify if it is impacted by the Log4j vulnerabilities. You can contact the team via https://my.refinitiv.com/content/mytr/en/productsupport.html website.

    adh-contact.png

    Update:

    If the PUB server is ATS, you can contact the ATS support team to verify if it is impacted by the Log4j vulnerabilities.

    ats-support-contact.png


  • Jirapongse
    Jirapongse

    @Henri.GARDON

    You may run rmdstestclient to check the source directory message of the PUB service.

    The command looks like this:

    rmdsTestClient.exe -h <hostname> -p 14002 -S PUB -ct rssl -f rics.txt -X -d 3 -l stdout

    If the Vendor element entry of the PUB service is DTS or ATS, the source of the PUB service could be an ATS server.

    1641357972736.png

  • hgardon
    hgardon

    Hi, thank you a lot for the info !

    @Jirapongse with the command that you provide I have the answer attached rmdstestclient.txt and the following keywords :

    <refreshMsg domainType="RSSL_DMT_SOURCE" streamId="2" containerType="RSSL_DT_MAP" flags="0x168 (RSSL_RFMF_HAS_MSG_KE Y|RSSL_RFMF_SOLICITED|RSSL_RFMF_REFRESH_COMPLETE|RSSL_RFMF_CLEAR_CACHE)" groupId="0" dataState="RSSL_DATA_OK" stream State="RSSL_STREAM_OPEN" code="RSSL_SC_NONE" text="" dataSize="539">


    Then :


    <elementEntry name="Name" dataType="RSSL_DT_ASCII_STRING" data="PUB"/>


    And finally :


    <elementEntry name="Vendor" dataType="RSSL_DT_ASCII_STRING" data="Thomson Reuters"/>


    So I guess this is not a real ATS ? Do you confirm ?

    Thanks,

  • hgardon
    hgardon

    Confirmed with our Refinitiv contact that we are not impacted,

    Thank you for the help !

Categories