You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 43 Next »

[updated on 2021 12 17 14:00 GMT+1]

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Change log

TimestampDescription
2021 12 17 14:00 GMT+1Updated Remediation options for modeling and collaboration tools.
2021 12 17 13:00 GMT+1Updated log4j version from 2.15.0 to 2.16.0 for modeling and collaboration tools in Remediation.
2021 12 16 14:00 GMT+1Added Cameo DataHub plugin to the list in Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.
2021 12 16 14:00 GMT+1
Added information about FlexNet Publisher in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.

Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.

CATIA Magic portfolio

  • Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
  • Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
  • Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
  • Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

  • Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Collaborator for Teamwork Cloud (release  2021x Refresh1, 2021x Refresh2)
  • MagicDraw (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)

To Do:  You have action to perform. See Remediation.

FlexNet Publisher 

  • lmadmin (FlexNet Publisher 64-bit License Server Manager)

To Do:  You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.


Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.

CATIA Magic portfolio

  • Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

  • Cameo Collaborator for Teamwork Cloud (release  2021x19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)

The following products and versions are NOT affected. No action to perform.

CATIA Magic portfolio

  • Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

  • Teamwork Cloud (release 19.0) 
  • Cameo Collaborator for Teamwork Cloud (release 19.0) 
  • MagicDraw (release 2021x19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Systems Modeler (release 2021x19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Enterprise Architecture (release 2021x19.0 and all service packs, 18.5 SP4, 18.0 SP7)


Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

  1. Download the latest log4j 2.16.0 patched version.
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.16.0 zip file while keeping the original file name.

Example:

  • if found: log4j-core-2.11.2.jar
  • then remove log4j-core-2.11.2.jar
  • copy log4j-core-2.16.0.jar over to log4j-core-2.11.2.jar
  • repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 


For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)

  1. Download the latest log4j 2.16.0 patched version.
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.16.0 zip file while keeping the original file name.

Example:

  • if found: log4j-core-2.11.2.jar
  • then remove log4j-core-2.11.2.jar
  • copy log4j-core-2.16.0.jar over to log4j-core-2.11.2.jar
  • repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.