[updated on 2021 12 20 21:00 GMT+1]
More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
Change log
Timestamp | Description |
---|---|
2021 12 20 21:00 GMT+1 | |
2021 12 20 16:30 GMT+1 | Added log4j version 2.17.0 for modeling and collaboration tools in Remediation. |
2021 12 17 14:00 GMT+1 | Updated Remediation options for modeling and collaboration tools. |
2021 12 17 13:00 GMT+1 | Updated log4j version from 2.15.0 to 2.16.0 for modeling and collaboration tools in Remediation. |
2021 12 16 14:00 GMT+1 | Added Cameo DataHub plugin to the list in Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform. |
2021 12 16 14:00 GMT+1 | Added information about FlexNet Publisher in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform. |
Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform.
CATIA Magic portfolio
- Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
- Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
- Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
- Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)
No Magic portfolio
- Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
- Cameo Collaborator for Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
- MagicDraw (release 2021x Refresh1, 2021x Refresh2)
- Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
- Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)
To Do: You have action to perform. See Remediation.
FlexNet Publisher
- lmadmin (FlexNet Publisher 64-bit License Server Manager)
To Do: You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.
Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform.
CATIA Magic portfolio
- Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
- Cameo Collaborator for Teamwork Cloud (release 2021x, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)
The following products and versions are NOT affected. No action to perform.
CATIA Magic portfolio
- Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
- Teamwork Cloud (release 19.0)
- Teamwork Server (release 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Collaborator for Teamwork Cloud (release 19.0)
- MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Remediation
For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)
- Make sure application is not running
- Download log4j v2.16.0 (or 2.17.0) from apache website (link)
- Search now for these jar files in installation base
- log4j-core-2.*.jar
- log4j-1.2-api-2.*.jar
- log4j-api-2.*.jar
- log4j-slf4j-impl-2.*.jar
- Replace any match by the 2.16.0 (or 2.17.0) version. Make sure the original filename is unchanged. See example below.
- The replacing and renaming operations must be performed for all jar files found from the list
Example - if you find log4j-core-2.11.2.jar:
- Remove log4j-core-2.11.2.jar
- Copy log4j-core-2.16.0.jar to the same location
- Rename log4j-core-2.16.0.jar to log4j-core-2.11.2.jar
See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.
For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)
In your installation base, please search for the following files: webapp.war, admin.war, collaborator.war, document-exporter.war, resource-usage-map.war, resources.war. If you do not find any result, you can stop the procedure here. Your installation does not contain web applications
If you find a match, you might need to replace log4j2 libraries inside each found war files (for example webapp.war). Please execute these steps:
- Make sure application is not running
- Download log4j v2.16.0 (or 2.17.0) from apache website (link)
- Uncompress(unzip) webapp.war into any tmp folder
- Search now for these jar files among unzipped ones
- log4j-core-2.*.jar
- log4j-api-2.*.jar
- Replace any match by the 2.16.0 (or 2.17.0) version. Make sure the original filename is unchanged. See example below.
- Compress(zip) all extracted files back to webapp_patched.war. Make sure files structure in new war is same as in original war.
- Replace original webapp.war with webapp_patched.war and restore name back to webapp.war
- Look for a folder named webapp next to webapp.war. Delete it if found.
- Start application
Example - if you find log4j-core-2.11.2.jar:
- Remove log4j-core-2.11.2.jar
- Copy log4j-core-2.16.0.jar to the same location
- Rename log4j-core-2.16.0.jar to log4j-core-2.11.2.jar
See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.