View Source

[updated on 2021 12 20 21:00 GMT+1]

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Change log

Timestamp	Description
2021 12 20 21:00 GMT+1
2021 12 20 16:30 GMT+1	Added log4j version 2.17.0 for modeling and collaboration tools in Remediation.
2021 12 17 14:00 GMT+1	Updated Remediation options for modeling and collaboration tools.
2021 12 17 13:00 GMT+1	Updated log4j version from 2.15.0 to 2.16.0 for modeling and collaboration tools in Remediation.
2021 12 16 14:00 GMT+1	Added Cameo DataHub plugin to the list in Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.
2021 12 16 14:00 GMT+1	Added information about FlexNet Publisher in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.

Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.

CATIA Magic portfolio

Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
Cameo Collaborator for Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
MagicDraw (release 2021x Refresh1, 2021x Refresh2)
Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)

To Do: You have action to perform. See Remediation.

FlexNet Publisher

lmadmin (FlexNet Publisher 64-bit License Server Manager)

To Do: You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.

Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.

CATIA Magic portfolio

Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

Cameo Collaborator for Teamwork Cloud (release 2021x, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)

The following products and versions are NOT affected. No action to perform.

CATIA Magic portfolio

Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

Teamwork Cloud (release 19.0)
Teamwork Server (release 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Cameo Collaborator for Teamwork Cloud (release 19.0)
MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)

Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Make sure application is not running
Download log4j v2.16.0 (or 2.17.0) from apache website (link)
Search now for these jar files in installation base
- log4j-core-2.*.jar
- log4j-1.2-api-2.*.jar
- log4j-api-2.*.jar
- log4j-slf4j-impl-2.*.jar
Replace any match by the 2.16.0 (or 2.17.0) version. Make sure the original filename is unchanged. See example below.
The replacing and renaming operations must be performed for all jar files found from the list

Example - if you find log4j-core-2.11.2.jar:

Remove log4j-core-2.11.2.jar
Copy log4j-core-2.16.0.jar to the same location
Rename log4j-core-2.16.0.jar to log4j-core-2.11.2.jar

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.

For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)

In your installation base, please search for the following files: webapp.war, admin.war, collaborator.war, document-exporter.war, resource-usage-map.war, resources.war. If you do not find any result, you can stop the procedure here. Your installation does not contain web applications

If you find a match, you might need to replace log4j2 libraries inside each found war files (for example webapp.war). Please execute these steps:

Make sure application is not running
Download log4j v2.16.0 (or 2.17.0) from apache website (link)
Uncompress(unzip) webapp.war into any tmp folder
Search now for these jar files among unzipped ones

o log4j-core-2.*.jar

o log4j-api-2.*.jar

Replace any match by the 2.16.0 (or 2.17.0) version. Make sure the original filename is unchanged. See example below.
Compress(zip) all extracted files back to webapp_patched.war. Make sure files structure in new war is same as in original war.
Replace original webapp.war with webapp_patched.war and restore name back to webapp.war
Look for a folder named webapp next to webapp.war. Delete it if found.
Start application

Example - if you find log4j-core-2.11.2.jar:

Remove log4j-core-2.11.2.jar
Copy log4j-core-2.16.0.jar to the same location
Rename log4j-core-2.16.0.jar to log4j-core-2.11.2.jar

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.