More about the issue https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
Apache Log4j2 version <2.15.0 is part of the following products in these versions:
CATIA Magic portfolio
Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)
No Magic portfolio
Cameo Collaborator for Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
MagicDraw (release 2021x Refresh1, 2021x Refresh2)
Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)
Remediation
Option 1
- Download the newest log4j 2.15.0 patched version .
- Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.
Example:
- if found: log4j-core-2.11.2.jar
- then remove log4j-core-2.11.2.jar
- copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
- repeat for any other log4j 2.x file found.
See detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.
Option 2
If you cannot upgrade log4j, you may add
-Dlog4j.formatMsgNoLookups=true
as a command line option or add
log4j.formatMsgNoLookups=true
to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.properties, csm.properties, cameoea.properties) on the classpath to prevent lookups in log event message.
The following products and versions are not affected:
CATIA Magic portfolio
Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Under investigation
Teamwork Cloud (all releases)
Cameo Collaborator for Teamwork Cloud (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)