- Revenera Community
- :
- InstallAnywhere
- :
- InstallAnywhere Knowledge Base
- :
- CVE-2021-44228: Log4j vulnerability impact on InstallAnywhere
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
CVE-2021-44228: Log4j vulnerability impact on InstallAnywhere
CVE-2021-44228: Log4j vulnerability impact on InstallAnywhere
Summary:
A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.
Applies To:
InstallAnywhere 2018
Description
If you are using any version of InstallAnywhere other than the above, you are not impacted and you can choose to skip the rest of the article.
NOTE: Installers built out of InstallAnywhere (any versions) do not have the Log4j 2 library, therefore they are not impacted.
InstallAnywhere 2018 contains the library Log4j 2x by virtue of an additional module – Code Aware which is used to scan for Open-Source components included in your project. This is a separate menu item in Build menu which invokes a wizard for scanning. This module must be explicitly invoked and is not automatically invoked during launch of InstallAnywhere or building projects using IDE or Standalone Build. However, in our analysis, we concluded that the Log4j 2x library included in Code Aware is NOT actually used and Code Aware uses SLF4 logging, which in turn points to and uses native implementation of logback library.
This file is available only in InstallAnywhere 2018 Windows installer.
Bottom line, even InstallAnywhere 2018 is also NOT impacted by the said vulnerability. However, depending on your corporate security policies, you may consider the existence of the Log4j 2x file as a risk and this article outlines steps to remove Code Aware from your machines.
Resolution
No fix is required.
Workaround
Code Aware is not tightly coupled to the product and is not automatically invoked during the launch of InstallAnywhere. Also Code Aware is not a separate installer on the machine. The files can be deleted from InstallAnywhere home directory.
Remediation Steps for InstallAnywhere 2018
1. Navigate to InstallAnywhere2018 installation directory “C:\Program Files (x86)\InstallAnywhere 2018”
2. Delete the directory “FlexNet Code Aware”.