LightngMcQueen
Aspirationally Rational
The issue: Apache Log4j, one of many frameworks developers use to get things done. In this case, Log4J is a framework that a lot of developers use to implement error logging in their application. And because of that, many enterprises have applications that use this framework, and are dependent on their suppliers supplying an update of this framework to close the vulnerability.
For those using Interactive Brokers ... TWS would be affected as it is using the log4j library. < 2.15.
Here are technical details on the issue: CVE-2021-44228 - GitHub Advisory Database and affected TWS files:
I hope IBKR releases fix soon. In the meantime it would be safer to use Web App.
For those liking to tinker, if the instructions for the fix are correct, then adding the line:
-Dlog4j2.formatMsgNoLookups=true
to text file tws.vmoptions should patch it for now.
Because I am extra paranoid. I have also downloaded version 2.15.0 of log4j and replaced 2 files log4j-api-2.12.0.jar, log4j-core-2.12.0.jar with 2.15 versions while keeping old .12 names.
Last edited: