Versions Compared

Old Version 8

changes.mady.by.user Developer

Saved on

compared with

New Version 9

changes.mady.by.user Developer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Table of Contents

Apache Log4j2 version <2.15.0 is a part of the following products in these versions:

CATIA Magic portfolio

  • Magic Collaboration Studio (release 2021x2021x Refresh1, 2021x Refresh2, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
  • Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
  • Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

  • Teamwork Cloud (release 2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Cameo Collaborator for Teamwork Cloud (release  2021x2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • MagicDraw (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)

 

Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Option 1

  1. Download the latest log4j 2.15.0 patched version .
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

...

If you cannot upgrade log4j, you may add 

Code Block
 -Dlog4j.formatMsgNoLookups=true

as a command line option or add

Code Block
log4j.formatMsgNoLookups=true

to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.propertiescsm.propertiescameoea.properties) on the classpath to prevent lookups in the log event message.

 

For collaboration tools (Magic Collaboration Studio 19.0 SP2 - 19.0 SP4, Cameo Collaborator for Teamwork Cloud 19.0 SP1-SP4, Teamwork Cloud 19. SP1 - SP4)

Option 1

Please add 

Code Block
 -Dlog4j.formatMsgNoLookups=true

...

Code Block
log4j.formatMsgNoLookups=true

to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.propertiescsm.propertiescameoea.properties) on the classpath to prevent lookups in the log event message.


Option 2 (more complicated)

  1. Download the latest log4j 2.15.0 patched version .
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

  • if found: log4j-core-2.11.2.jar
  • then remove log4j-core-2.11.2.jar
  • copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
  • repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

 

The following products and versions are NOT affected:

...