Page History

[updated on 2022 03 07 18:00 GMT+1]

For more information, see CVE-2021-44228, CVE-2021-45046, CVE-2021-44832.

Change log

Apache Log4j2 version 2.0-2.17

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

...

.0 is a part of the following products

...

. Action to perform.

CATIA Magic portfolio

• Magic Collaboration Studio (release release 2021x Refresh1, 2021x Refresh2)
• Magic Software Architect (release release 2021x Refresh1, 2021x Refresh2)
• Magic Cyber Systems Engineer (release release 2021x Refresh1, 2021x Refresh2)
• Magic Systems of Systems Architect (release release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

• Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
• Cameo Collaborator for Teamwork Cloud (release  2021x Refresh1, 2021x Refresh2)
• MagicDraw (release release 2021x Refresh1, 2021x Refresh2)
• Cameo Systems Modeler (release release 2021x Refresh1, 2021x Refresh2)
• Cameo Enterprise Architecture (release release 2021x Refresh1, 2021x Refresh2)
  
  

To Do:  You have action to perform. See Remediation.

FlexNet Publisher 

• lmadmin (FlexNet Publisher 64-bit License Server Manager)

To Do:  You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.

Apache Log4j2 version

...

2.0-2.17.0 is a part of

...

the following products, however it is not used for logging

...

. No action to perform.

CATIA Magic portfolio

• Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  

No Magic portfolio

• Cameo Collaborator for Teamwork Cloud (release  2021x, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)

The following products and versions are NOT affected. No action to perform.

CATIA Magic portfolio

• Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

• Teamwork Cloud (release 19.0) 
• Teamwork Server (release 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Collaborator for Teamwork Cloud (release 19.0) 
• MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)

Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Option 1

Download

...

and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.

...

17.

...

1.

...

Download and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with log4j 2.17.1.  

See Downloading installation files

Option 2

Example:

...

1. Make sure application is not running
2. Download log4j 2.17.1 from apache website (link)
3. Search now for these jar files in installation base
   

1. • log4j-core-2

...

1. • .*.jar
   • log4j-1.2-api-2.*.jar

...

1. • log4j-

...

1. • api-2.

...

1. • *.jar
   • log4j-slf4j-impl-2.*.jar
2. Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.
3. The replacing and renaming operations must be performed for all jar files found from the list

Example - if you find log4j-core-2.

...

11.

...

2.jar

...

:

1. Remove log4j-core-2.11.2.jar

...

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

Option 2

If you cannot upgrade log4j, you may add 

 -Dlog4j.formatMsgNoLookups=true

as a command line option or add

log4j.formatMsgNoLookups=true

to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.properties, csm.properties, cameoea.properties) on the classpath to prevent lookups in the log event message.

1. Copy log4j-core-2.17.1.jar to the same location
2. Rename log4j-core-2.17.1.jar to log4j-core-2.11.2.jar

Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdf 

For collaboration tools (Magic Collaboration Studio,

...

 Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)

Option 1

You may prevent  lookups in the log event message by adding parameter via command line or in Web Application Platform setenv.sh / setenv.bat properties file.

Configuring setenv.bat file on Windows

If your instance of the Web Application Platform is running on Windows, configure this file by following one of the given workflows.

To configure setenv.bat files when the Web Application Platform is started by running an executable

...

Copy and paste the following line to the setenv.bat file:

-Dlog4j.formatMsgNoLookups=true

...

To configure setenv.bat files when the Web Application Platform is started as a service

...

In the command-line interface, run the following command:

.\bin\tomcat<version>.exe //US//WebApp --JvmMs=8000 --JvmMx=8000 ++JvmOptions='-Dlog4j.formatMsgNoLookups=true'

...

Configuring setenv.sh file on Linux and Mac

If your instance of the Web Application Platform is running on Linux or Mac, configure this file by following the steps outlined below.

To configure setenv.sh file on Linux and Mac

...

Copy and paste the following lines to the setenv.sh file:

-Dlog4j.formatMsgNoLookups=true

...

Download and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.17.1. 

Download and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with log4j 2.17.1.

See Downloading installation files

Option 2

In your installation base, please search for the following files: webapp.war, admin.war, collaborator.war, document-exporter.war, resource-usage-map.war, resources.war. If you do not find any result, you can stop the procedure here. Your installation does not contain web applications

If you find a match, you might need to replace log4j2 libraries inside each found war files (for example webapp.war). Please execute these steps:

1. Make sure application is not running
2. Download log4j 2.17.1 from apache website (link)
3. Uncompress(unzip) webapp.war into any tmp folder
4. Search now for these jar files among unzipped ones
   • log4j-core-2.*.jar
   • log4j-api-2.*.jar

5. Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.

   Note
   title For collaboration tools of 19.0 SPx version (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud):
   look for a file named org.apache.log4j-19.0.0.jar. Delete it if found.

   
   

6. Compress(zip) all extracted files back to webapp_patched.war. Make sure files structure in new war is same as in original war.
7. Replace original webapp.war with webapp_patched.war and restore name back to webapp.war
8. Look for a folder named webapp next to webapp.war. Delete it if found.
9. Start application

Example - if you find

Option 2 (more complicated)

1. Download the latest log4j 2.15.0 patched version .
2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

...

log4j-core-2.11.2.jar:

...

1. Remove log4j-core-2.11.2.jar

...

1. Copy log4j-core-2.

...

1. 17.

...

1. 1.jar

...

1. to the same location
2. Rename log4j-core-2.

...

1. 17.

...

1. 1.jar

...

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

The following products and versions are NOT affected:

CATIA Magic portfolio

• Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

• Teamwork Cloud (release 19.0) 
• Cameo Collaborator for Teamwork Cloud (release 19.0) 
• MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)

1. to log4j-core-2.11.2.jar

Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdf