Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

[updated on Dec, 16th. 2PM Paris time]

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Table of Contents

on 2022 03 07 18:00 GMT+1]

For more information, see CVE-2021-44228, CVE-2021-45046, CVE-2021-44832.

Table of Contents

Change log

TimestampDescription
2022 03 07 18:00 GMT+1

2021x Refresh1 HF2 and 2021x Refresh2 HF2 (hot fixes) with log4j 2.17.1 version are released as Remediation option. Also, log4j 1.2 version removed from these hotfixes.

Added CVE-2021-44832 to vulnerability list.

2022 01 06 18:00 GMT+1

Updated log4j version from 2.17.0 to 2.17.1 for modeling and collaboration tools in Remediation. Added additional note for collaboration tools v19.0 SPx in Remediation.

2021 12 22 19:30 GMT+12021x Refresh1 and 2021x Refresh2 HF1 (hot fixes) with log4j 2.16.0 version are released as Remediation option.
2021 12 20 21:00 GMT+1UpdatedRemediation options for modeling and collaboration tools.
2021 12 20 16:30 GMT+1Added log4j version 2.17.0 for modeling and collaboration tools in Remediation.
2021 12 17 14:00 GMT+1UpdatedRemediation options for modeling and collaboration tools.
2021 12 17 13:00 GMT+1Updated log4j version from 2.15.0 to 2.16.0 for modeling and collaboration tools in Remediation.
2021 12 16 14:00 GMT+1Added Cameo DataHub plugin to the list in Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.
2021 12 16 14:00 GMT+1
Added information about FlexNet Publisher in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.

Apache Log4j2 version 2.0-2.17.0 is a part of the following products. Action to perform.

CATIA Magic portfolio

  • Magic Collaboration Studio (release release 2021x Refresh1, 2021x Refresh2)
  • Magic Software Architect (release release 2021x Refresh1, 2021x Refresh2)
  • Magic Cyber Systems Engineer (release release 2021x Refresh1, 2021x Refresh2)
  • Magic Systems of Systems Architect (release release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

  • Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Collaborator for Teamwork Cloud (release  2021x Refresh1, 2021x Refresh2)
  • MagicDraw (release release 2021x Refresh1, 2021x Refresh2)
  • Cameo Systems Modeler (release release 2021x Refresh1, 2021x Refresh2)
  • Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)Cameo DataHub plugin  (release 2021x Refresh1, 2021x Refresh2)

To Do:  You have action to perform. See Remediation.

FlexNet Publisher 

  • lmadmin (FlexNet Publisher 64-bit License Server Manager)

To Do:  You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.


Apache Log4j2 version 2.0-2.

...

17.

...

0 is a part of the following products, however it is not used for logging. No action to perform.

CATIA Magic portfolio

  • Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

  • Cameo Collaborator for Teamwork Cloud (release  2021x19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)

The following products and versions are NOT affected. No action to perform.

CATIA Magic portfolio

  • Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

  • Teamwork Cloud (release 19.0) 
  • Teamwork Server (release 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Collaborator for Teamwork Cloud (release 19.0) 
  • MagicDraw (release 2021x19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Systems Modeler (release 2021x19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Enterprise Architecture (release 2021x19.0 and all service packs, 18.5 SP4, 18.0 SP7)


Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Option 1

Download

...

and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.

...

17.

...

1.

...

 

Download and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with log4j 2.17.1.  

See Downloading installation files

Option 2

Example:

...

  1. Make sure application is not running
  2. Download log4j 2.17.1 from apache website (link)
  3. Search now for these jar files in installation base
    • log4j-core-2.

...

    • *.jar

...

    • log4j-1.2-

...

    • api-2.

...

    • *.

...

    • jar

...

    • log4j-

...

    • api-2.

...

    • *.

...

    • jar

...

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

Option 2

You may prevent lookups in the log event message by adding parameter via command line or in the <modeling tool>.properties file.

Configuring<modeling tool>.properties file

...

In the JAVA_ARGS line add: 

Code Block
-Dlog4j.formatMsgNoLookups=true

For example:  

Code Block
JAVA_ARGS=-Xmx4000M -DLOCALCONFIG\=true -splash\:data/splash.png -Dmd.class.path\=$java.class.path -Dcom.nomagic.osgi.config.dir\=configuration -Desi.system.config\=data/application.conf -Dlogback.configurationFile\=data/logback.xml -Dsun.locale.formatasdefault\=true -Dinitial.user.language\=en -Xss1024K -Dlog4j.formatMsgNoLookups=true

...

    • log4j-slf4j-impl-2.*.jar
  1. Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.
  2. The replacing and renaming operations must be performed for all jar files found from the list

Example - if you find log4j-core-2.11.2.jar:

  1. Remove log4j-core-2.11.2.jar
  2. Copy log4j-core-2.17.1.jar to the same location
  3. Rename log4j-core-2.17.1.jar to log4j-core-2.11.2.jar

Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdf

...

For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)

Option 1

You may prevent lookups in the log event message by adding parameter via command line or in Web Application Platform setenv.sh / setenv.bat properties file.

Configuring setenv.bat file on Windows

If your instance of the Web Application Platform is running on Windows, configure this file by following one of the given workflows.

To configure setenv.bat files when the Web Application Platform is started by running an executable

...

Copy and paste the following line to the setenv.bat file:

Code Block
set JAVA_OPTS=-Dlog4j.formatMsgNoLookups=true

...

Download and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.17.1. 

Download and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with log4j 2.17.1.

See Downloading installation files

Option 2

In your installation base, please search for the following files: webapp.war, admin.war, collaborator.war, document-exporter.war, resource-usage-map.war, resources.war. If you do not find any result, you can stop the procedure here. Your installation does not contain web applications

If you find a match, you might need to replace log4j2 libraries inside each found war files (for example webapp.war). Please execute these steps:

  1. Make sure application is not running
  2. Download log4j 2.17.1 from apache website (link)
  3. Uncompress(unzip) webapp.war into any tmp folder
  4. Search now for these jar files among unzipped ones
    • log4j-core-2.*.jar
    • log4j-api-2.*.jar
  5. Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.

    Note
    titleFor collaboration tools of 19.0 SPx version (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud):
    • look for a file named org.apache.log4j-19.0.0.jar. Delete it if found.


  6. Compress(zip) all extracted files back to webapp_patched.war. Make sure files structure in new war is same as in original war.
  7. Replace original webapp.war with webapp_patched.war and restore name back to webapp.war
  8. Look for a folder named webapp next to webapp.war. Delete it if found.
  9. Start application

Example - if you find

To configure setenv.bat files when the Web Application Platform is started as a service

...

In the command-line interface, run the following command:

Code Block
.\bin\tomcat<version>.exe //US//WebApp --JvmMs=8000 --JvmMx=8000 ++JvmOptions='-Dlog4j.formatMsgNoLookups=true'

...

Configuring setenv.sh file on Linux and Mac

If your instance of the Web Application Platform is running on Linux or Mac, configure this file by following the steps outlined below.

To configure setenv.sh file on Linux and Mac

...

Copy and paste the following lines to the setenv.sh file:

Code Block
set JAVA_OPTS=-Dlog4j.formatMsgNoLookups=true

...

Option 2 (more complex)

  1. Download the latest log4j 2.15.0 patched version .
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

...

log4j-core-2.11.2.jar:

...

  1. Remove log4j-core-2.11.2.jar

...

  1. Copy log4j-core-2.

...

  1. 17.

...

  1. 1.jar

...

  1. to the same location
  2. Rename log4j-core-2.

...

  1. 17.

...

  1. 1.jar

...

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

  1. to log4j-core-2.11.2.jar

Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdf