[updated on 2021 12 17 14:00 GMT+1]
More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
Change log
Timestamp | Description |
---|---|
2021 12 17 14:00 GMT+1 | Updated Remediation options for modeling and collaboration tools. |
2021 12 17 13:00 GMT+1 | Updated log4j version from 2.15.0 to 2.16.0 for modeling and collaboration tools in Remediation. |
2021 12 16 14:00 GMT+1 | Added Cameo DataHub plugin to the list in Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform. |
2021 12 16 14:00 GMT+1 | Added information about FlexNet Publisher in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform. |
Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.
CATIA Magic portfolio
- Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
- Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
- Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
- Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)
No Magic portfolio
- Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
- Cameo Collaborator for Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
- MagicDraw (release 2021x Refresh1, 2021x Refresh2)
- Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
- Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)
To Do: You have action to perform. See Remediation.
FlexNet Publisher
- lmadmin (FlexNet Publisher 64-bit License Server Manager)
To Do: You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.
Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.
CATIA Magic portfolio
- Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
- Cameo Collaborator for Teamwork Cloud (release 2021x, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)
The following products and versions are NOT affected. No action to perform.
CATIA Magic portfolio
- Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
- Teamwork Cloud (release 19.0)
- Teamwork Server (release 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Collaborator for Teamwork Cloud (release 19.0)
- MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Remediation
For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)
- Download the latest log4j 2.16.0 patched version.
- Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.16.0 zip file while keeping the original file name.
Example:
- if found: log4j-core-2.11.2.jar
- then remove log4j-core-2.11.2.jar
- copy log4j-core-2.16.0.jar over to log4j-core-2.11.2.jar
- repeat for any other log4j 2.x file found.
See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.
For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)
- Download the latest log4j 2.16.0 patched version.
- Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.16.0 zip file while keeping the original file name.
Example:
- if found: log4j-core-2.11.2.jar
- then remove log4j-core-2.11.2.jar
- copy log4j-core-2.16.0.jar over to log4j-core-2.11.2.jar
- repeat for any other log4j 2.x file found.
See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.