[updated on 2022 03 07 18:00 GMT+1]

For more information, see CVE-2021-44228, CVE-2021-45046, CVE-2021-44832.

Change log

Apache Log4j2 version 2.0-2.17.0 is a part of the following products. Action to perform.

CATIA Magic portfolio

• Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
• Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
• Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
• Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

• Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
• Cameo Collaborator for Teamwork Cloud (release  2021x Refresh1, 2021x Refresh2)
• MagicDraw (release 2021x Refresh1, 2021x Refresh2)
• Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
• Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)
  
  

To Do:  You have action to perform. See Remediation.

FlexNet Publisher 

• lmadmin (FlexNet Publisher 64-bit License Server Manager)

To Do:  You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.

Apache Log4j2 version 2.0-2.17.0 is a part of the following products, however it is not used for logging. No action to perform.

CATIA Magic portfolio

• Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  

No Magic portfolio

• Cameo Collaborator for Teamwork Cloud (release  2021x, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)

The following products and versions are NOT affected. No action to perform.

CATIA Magic portfolio

• Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

• Teamwork Cloud (release 19.0) 
• Teamwork Server (release 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Collaborator for Teamwork Cloud (release 19.0) 
• MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)

Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Option 1

Download and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.17.1. 

Download and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with log4j 2.17.1.  

See Downloading installation files

Option 2

1. Make sure application is not running
2. Download log4j 2.17.1 from apache website (link)
3. Search now for these jar files in installation base
   
   • log4j-core-2.*.jar
   • log4j-1.2-api-2.*.jar
   • log4j-api-2.*.jar
   • log4j-slf4j-impl-2.*.jar
4. Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.
5. The replacing and renaming operations must be performed for all jar files found from the list

Example - if you find log4j-core-2.11.2.jar:

1. Remove log4j-core-2.11.2.jar
2. Copy log4j-core-2.17.1.jar to the same location
3. Rename log4j-core-2.17.1.jar to log4j-core-2.11.2.jar

Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdf

For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)

Option 1

Download and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.17.1. 

Download and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with log4j 2.17.1.

See Downloading installation files

Option 2

In your installation base, please search for the following files: webapp.war, admin.war, collaborator.war, document-exporter.war, resource-usage-map.war, resources.war. If you do not find any result, you can stop the procedure here. Your installation does not contain web applications

If you find a match, you might need to replace log4j2 libraries inside each found war files (for example webapp.war). Please execute these steps:

1. Make sure application is not running
2. Download log4j 2.17.1 from apache website (link)
3. Uncompress(unzip) webapp.war into any tmp folder
4. Search now for these jar files among unzipped ones
   • log4j-core-2.*.jar
   • log4j-api-2.*.jar

5. Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.

   look for a file named org.apache.log4j-19.0.0.jar. Delete it if found.

   
   

6. Compress(zip) all extracted files back to webapp_patched.war. Make sure files structure in new war is same as in original war.
7. Replace original webapp.war with webapp_patched.war and restore name back to webapp.war
8. Look for a folder named webapp next to webapp.war. Delete it if found.
9. Start application

Example - if you find log4j-core-2.11.2.jar:

1. Remove log4j-core-2.11.2.jar
2. Copy log4j-core-2.17.1.jar to the same location
3. Rename log4j-core-2.17.1.jar to log4j-core-2.11.2.jar

Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdf