[Incident]: Some users report they are unable to access the case portal. Please see this community notice for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2021-44228: Log4j vulnerability impact on InstallAnywhere

CVE-2021-44228: Log4j vulnerability impact on InstallAnywhere

Summary:

A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Applies To:

InstallAnywhere 2018

Description

If you are using any version of InstallAnywhere other than the above, you are not impacted and you can choose to skip the rest of the article.

NOTE: Installers built out of InstallAnywhere (any versions) do not have the Log4j 2 library, therefore they are not impacted.

InstallAnywhere 2018 contains the library Log4j 2x by virtue of an additional module – Code Aware which is used to scan for Open-Source components included in your project. This is a separate menu item in Build menu which invokes a wizard for scanning. This module must be explicitly invoked and is not automatically invoked during launch of InstallAnywhere or building projects using IDE or Standalone Build. However, in our analysis, we concluded that the Log4j 2x library included in Code Aware is NOT actually used and Code Aware uses SLF4 logging, which in turn points to and uses native implementation of logback library.

This file is available only in InstallAnywhere 2018 Windows installer.

Bottom line, even InstallAnywhere 2018 is also NOT impacted by the said vulnerability. However, depending on your corporate security policies, you may consider the existence of the Log4j 2x file as a risk and this article outlines steps to remove Code Aware from your machines.

Resolution

No fix is required.

Workaround

Code Aware is not tightly coupled to the product and is not automatically invoked during the launch of InstallAnywhere. Also Code Aware is not a separate installer on the machine. The files can be deleted from InstallAnywhere home directory.

Remediation Steps for InstallAnywhere 2018

1. Navigate to InstallAnywhere2018 installation directory “C:\Program Files (x86)\InstallAnywhere 2018”

2. Delete the directory “FlexNet Code Aware”.

Labels (2)
Was this article helpful? Yes No
100% helpful (1/1)
Version history
Last update:
‎Dec 15, 2021 03:19 PM
Updated by:
Contributors