Security Notice - Log4J2 CVE-2021-44228

The Semarchy engineering team is monitoring - as part of the build & quality processes - Common Vulnerabilities and Exposures (CVEs) that impact libraries or third-party components shipped in the Semarchy/Stambia products.


Multiple vulnerabilities affecting the Log4J2 (Log4J version 2) library, commonly used in applications for logging services, have been reported under the CVE-2021-44228, CVE-2021-45105, CVE-2021-44832, and CVE-2021-45046 references.


Multiple vulnerabilities affecting the Log4J1 (Log4J version 1) library, commonly used in applications for logging services, have been reported under the CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307 references.


To summarize:

  • The impact for each product is summarized below.

    • Designer

      • The Designer does not use Log4J for logging purposes. It is therefore not affected by the reported vulnerabilities.

    • Analytics

      • Analytics does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.

      • Analytics uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities. However, Analytics is not affected by these vulnerabilities.

      • Although not affected, Analytics has been upgraded in Semarchy xDI 2023.1.0 to use Log4J2 (Log4J version 2) 2.17.1 version.

    • Runtime

      • The Runtime does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.

      • The Runtime uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities that can be easily identified and mitigated.

      • The Runtime has been upgraded in Semarchy xDI 2023.1.0 to use Log4J2 (Log4J version 2) 2.17.1 version.

    • Components

      • The only component shipping Log4J2 (Log4J version 2) is the ElasticSearch component, which is not affected by the CVEs (it is a transitive dependency not exposed to end-users).

      • Although not affected, the ElasticSearch component has been upgraded in the Component Pack version 3.0.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.

      • Although not affected, the ElasticSearch component has been upgraded in the Component Pack version 3.0.2 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832

    • License Server

      • The License Server product includes solely the API of the Apache Log4J2 library and not the implementations. It is therefore not affected by the vulnerabilities.

      • Although not affected, the License Server has been upgraded in version 5.3.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.

      • Although not affected, the License Server has been upgraded in version 5.3.2 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832.


The attached xDI Security Notice provides detailed information.

 

Do not hesitate to contact our support team if you have additional questions or need further clarifications.


pdf
Login to post a comment