Summary

A critical vulnerability potentially allowing remote code execution in Apache Log4j 2 impacting all versions from 2.0-beta9 to 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.

Flexera is expanding its product impact assessment and mitigation information to also cover CVE-2021-4104, CVE-2021-45046 and CVE-2021-45105 which affect earlier versions of Apache Log4j. These CVEs have lower severities than the primary CVE-2021-44228 vulnerability.

This article provides currently available information about the potential impact of these vulnerabilities on Flexera products.

For information about how Flexera's solutions can help with identifying potential exposures to log4j in other software, see the following post: Identifying Apache Log4j JNDI Vulnerability “Log4Shell” and Variants

This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

Flexera product assessment

The information on this page reflects:

• The assessed current status of Flexera's SaaS systems.
• The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.

* In an earlier revision of this page, AdminStudio 2018 was identified as potentially exposed due to the possibility that an edition of InstallShield that shipped with CodeInsight (which does include Log4j) was used. Further assessment has confirmed AdminStudio did not include this edition.

** In an earlier revision of this page, SVM Cloud and SVR were identified as potentially exposed, but the products were not affected, rather an internal tool used for logging which has been updated.

Use of Log4j in Flexera's products

Versions of Apache log4j components that are not vulnerable to CVE-2021-44228 are used in a number of Flexera's products and associated 3rd party products. Apache have identified the vulnerability applies specifically to the log4j-core JAR file versions 2.0-beta9 to 2.14.1.

See the following page for details: https://logging.apache.org/log4j/2.x/security.html.

Other log4j components (such as the log4j-api-2.* JAR file) in this version range have not been identified as vulnerable.

Related information

• Information about Revenera products: Revenera’s response to Apache Log4j 2 remote code execution vulnerability CVE-2021-44228
• CVE definitions:
  • https://nvd.nist.gov/vuln/detail/CVE-2021-4104
  • https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  • https://nvd.nist.gov/vuln/detail/CVE-2021-45046
  • https://nvd.nist.gov/vuln/detail/CVE-2021-45105 
• Expanded CVE definitions:
  • https://www.cve.org/CVERecord?id=CVE-2021-4104
  • https://www.cve.org/CVERecord?id=CVE-2021-44228
  • https://www.cve.org/CVERecord?id=CVE-2021-45046
  • https://www.cve.org/CVERecord?id=CVE-2021-45105
• Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html

Change log

2021-12-12 6:05pm CST: Initial advisory.

2021-12-13 6:45pm CST: Update with current assessment details for Flexera products.

2021-12-13 7:30pm CST: Update potential exposure status of Software Vulnerability Manager Cloud and Software Vulnerability Research after remediation activity performed by Flexera.

2021-12-13 11:35pm CST: Update potential exposure status of CloudScape / Foundation after remediation activity performed by Flexera.

2021-12-14 2:10am CST: Add initial comments about mitigation approach for Spider.

2021-12-14 4:50am CST: Add assessments for Cloud Management Platform and individual Flexera One products. 

2021-12-14 7:50am CST: Note AdminStudio 2019 as no longer considered potentially exposed.

2021-12-14 4:45pm CST: Note Flexera Analytics (Cognos) as potentially exposed. Add notes on product versions that have been assessed. Add link to mitigation guidance for Spider.

2021-12-14 7:41pm CST:  Columbus assessment has been updated to not potentially exposed.

2021-12-15 7:05am CST: Note AdminStudio 2018 is no longer considered potentially exposed.

2021-12-15 9:33am CST: Add links to mitigation details for Flexera Analytics (Cognos) for FlexNet Manager Suite On Premises and FlexNet Manager for Engineering Applications.

2021-12-15 11:40pm CST: Update list of affected Log4j 2 versions based on latest information published by Apache. Add notes about the use of Log4j in Flexera's products.

2021-12-15 11:50pm CST: Updated status of Flexera One IT Visibility to show as not potentially exposed.

2021-12-16 1:15am CST: Updated status of Flexera One SaaS Manager to not potentially exposed after remediation activity performed by Flexera.

2021-12-17 11:11 am CST: Updated to include CVE-2021-4104 and CVE-2021-45046.

2021-12-17 12:17 am CST: Updated assessment details on CVE-2021-4104 and CVE-2021-45046.

2021-12-20 11:44 pm CST: Added linked to Spider mitigation details.

2021-12-23 11:26 pm CST:  Added CVE-2021-45105. Split CVE-2021-4104 into its own column. Updated statuses of products.

2021-12-29 5:42 pm CST: Add details of potentially exposed and fixed versions of Data Platform. Updated status of Technopedia to show as not potentially exposed to CVE-2021-4104. Update description of affected Log4j 2 versions based on latest information published by Apache.

2021-12-30 1:06 pm CST: Add link to Data Platform mitigation article.

2021-12-30 10:20pm CST: Clarify that components in FlexNet Manager for Engineering Applications apart from Cognos may be vulnerable to CVE-2021-4104.

2022-01-06 10:51pm CST: Clarify that other Spider components apart from ESI are not known to be exposed, and show a fix for the Spider ESI component as "pending" as consideration is given to whether a fix may be feasible.

2022-01-10 1:42pm CST: Updated Cloud Cost Optimization (Optima) of Potential Exposure to CVE-2021-45046, CVE-2021-45105 to no.

2022-01-13 9:19pm CST: Updated SaaS Management of Potential Exposure to CVE-2021-45046, CVE-2021-45105 to no.

2022-01-14 1:43pm CST:  Updated Data Platform's Potential Exposure to CVE-2021-4104 status to "Under investigation"

2022-01-18 10:18pm CST: Updated IT Asset Management's Potential Exposure to CVE-2021-45046, CVE-2021-45105 status to "No".

2022-01-28 5:00am CST: Added link to article about mitigating Log4j 1.2 vulnerability for FlexNet Manager for Engineering Applications.

2022-02-01 10:58pm CST: Updated Data Platform's Potential Exposure to CVE-2021-4104 status to "Yes", Potentially Exposed Components or Versions to "User Console (all versions)", Fixed Version to "5.5.48 (Partial. See "Mitigation"), and added link to the mitigation article under Mitigation

2022-02-21 4:30am CST: Add fix version and link to mitigation details for potential vulnerability exposure in CloudScape / Foundation.