More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Apache Log4j2 version <2.15.0 is a part of the following products in these versions:

CATIA Magic portfolio

• Magic Collaboration Studio (release 2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
• Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
• Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

• Teamwork Cloud (release 2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Cameo Collaborator for Teamwork Cloud (release  2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• MagicDraw (release 2021x Refresh1, 2021x Refresh2)
• Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
• Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)

Remediation

Option 1

1. Download the latest log4j 2.15.0 patched version .
2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

• if found: log4j-core-2.11.2.jar
• then remove log4j-core-2.11.2.jar
• copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
• repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

Option 2

If you cannot upgrade log4j, you may add 

 -Dlog4j.formatMsgNoLookups=true

as a command line option or add

log4j.formatMsgNoLookups=true

to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.properties, csm.properties, cameoea.properties) on the classpath to prevent lookups in the log event message.

The following products and versions are NOT affected:

CATIA Magic portfolio

• Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
• Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

• Teamwork Cloud (release 19.0) 
• Cameo Collaborator for Teamwork Cloud (release 19.0) 
• MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
• Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)