View Source

[updated on 2021 12 16 14:00 GMT+1]

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Change log

Timestamp	Description
2021 12 16 14:00 GMT+1	Added Cameo DataHub plugin to the list in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.
2021 12 16 14:00 GMT+1	Added information about FlexNet Publisher in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.

Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.

CATIA Magic portfolio

Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
Cameo Collaborator for Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
MagicDraw (release 2021x Refresh1, 2021x Refresh2)
Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)
Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)

To Do: You have action to perform. See Remediation.

FlexNet Publisher

lmadmin (FlexNet Publisher 64-bit License Server Manager)

To Do: You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.

Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.

CATIA Magic portfolio

Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

Cameo Collaborator for Teamwork Cloud (release 2021x, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)

The following products and versions are NOT affected. No action to perform.

CATIA Magic portfolio

Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

Teamwork Cloud (release 19.0)
Cameo Collaborator for Teamwork Cloud (release 19.0)
MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)

Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Option 1

Download the latest log4j 2.15.0 patched version .
Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

if found: log4j-core-2.11.2.jar
then remove log4j-core-2.11.2.jar
copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.

Option 2

You may prevent lookups in the log event message by adding parameter via command line or in the <modeling tool>.properties file.

Configuring<modeling tool>.properties file

Go to <modeling tool installation directory>\bin and open the modeling tool properties file.

In the JAVA_ARGS line add:

-Dlog4j.formatMsgNoLookups=true

For example:

JAVA_ARGS=-Xmx4000M -DLOCALCONFIG\=true -splash\:data/splash.png -Dmd.class.path\=$java.class.path -Dcom.nomagic.osgi.config.dir\=configuration -Desi.system.config\=data/application.conf -Dlogback.configurationFile\=data/logback.xml -Dsun.locale.formatasdefault\=true -Dinitial.user.language\=en -Xss1024K -Dlog4j.formatMsgNoLookups=true

Save and close the file.
Restart your modeling tool.

For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)

Option 1

You may prevent lookups in the log event message by adding parameter via command line or in Web Application Platform setenv.sh / setenv.bat properties file.

Configuring setenv.bat file on Windows

If your instance of the Web Application Platform is running on Windows, configure this file by following one of the given workflows.

To configure setenv.bat files when the Web Application Platform is started by running an executable

In the Java application server home directory (on which Web Application Platform runs), go to the bin folder. For example, if you use Apache Tomcat, go to <tomcat_home>\bin.
Using a plain text editor, create the setenv.bat file in that directory if it does not already exist.
Copy and paste the following line to the setenv.bat file:
set JAVA_OPTS=-Dlog4j.formatMsgNoLookups=true
Save and close the file.
Restart the Java application server.

To configure setenv.bat files when the Web Application Platform is started as a service

Stop the Web Application Platform if it is running.
Open the command-line interface and go to the Web Application Platform installation directory.

In the command-line interface, run the following command:

.\bin\tomcat<version>.exe //US//WebApp --JvmMs=8000 --JvmMx=8000 ++JvmOptions='-Dlog4j.formatMsgNoLookups=true'

Restart the Web Application Platform.

Configuring setenv.sh file on Linux and Mac

If your instance of the Web Application Platform is running on Linux or Mac, configure this file by following the steps outlined below.

To configure setenv.sh file on Linux and Mac

In the Java application server (on which Web Application Platform runs) home directory, go to the bin folder. For example, if you use Apache Tomcat, go to <tomcat_home>/bin.
Using a plain text editor, create the setenv.sh file in that directory if it does not already exist.
Copy and paste the following lines to the setenv.sh file:
set JAVA_OPTS=-Dlog4j.formatMsgNoLookups=true
Save and close the file.
Restart the Java application server.

Option 2 (more complex)

Download the latest log4j 2.15.0 patched version .
Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

if found: log4j-core-2.11.2.jar
then remove log4j-core-2.11.2.jar
copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.