cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2021-44228: Log4j vulnerability impact on InstallShield

CVE-2021-44228: Log4j vulnerability impact on InstallShield

Summary:

A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Applies To:

InstallShield 2016 SP2

InstallShield 2018, SP1/SP2

Description:

If you are using any version of InstallShield other than the above, you are not impacted and you can choose to skip the rest of the article.

NOTE: Installers built out of InstallShield (any versions) do not have the Log4j 2 library, therefore they are not impacted.

InstallShield 2016 SP2 and InstallShield 2018 versions contain the library Log4j 2x by virtue of an additional module – Code Aware which is used to scan for Open-Source components included in your project. This is a separate menu item in Project menu which invokes a wizard for scanning. This module must be explicitly invoked and is not automatically invoked during launch of InstallShield or building projects using IDE or Standalone Build. However, in our analysis, we concluded that the Log4j 2x library included in Code Aware is NOT actually used and Code Aware uses SLF4 logging, which in turn points to and uses native implementation of logback library. In case you’d like to understand more about Code Aware integration with InstallShield, please click here

Bottom line, even InstallShield 2018 and InstallShield 2016 SP2 are also NOT impacted by the said vulnerability. However, depending on your corporate security policies, you may consider the existence of the Log4j 2x file as a risk and this article outlines steps to remove Code Aware from your machines.

Resolution:

No fix is required.

Workaround:

Please follow the below steps to remove Code Aware from your installation.

Remediation Steps for InstallShield 2018

Steps to remove Code Aware application included as part of InstallShield 2018:

1. Login as the user which has been used to install InstallShield 2018.

2. Uninstall ‘FlexNet Code Aware’

  • Go to Programs and Features and press and hold (or right-click) on the ‘FlexNet Code Aware’ and select Uninstall or Uninstall/Change. Then follow the directions on the screen.
  • Ensure codeaware.jar is not present in the below location: <InstallShield_Installation_Location>\FlexNet Code Aware.

Remediation Steps for InstallShield 2016 SP2

In InstallShield 2016 SP2, Code Aware is not bundled along with the installer. It is downloaded and installed on demand by the user.

1. Login as the user which has been used to install InstallShield 2016 SP2.

2. Go to Programs and Features and Search for ‘FlexNet Code Aware’ application. No action is required if not found. If found, uninstall ‘FlexNet Code Aware

  • Press and hold (or right-click) on the ‘FlexNet Code Aware’ and select Uninstall or Uninstall/Change. Then follow the directions on the screen.
Was this article helpful? Yes No
100% helpful (1/1)
Version history
Last update:
‎Dec 15, 2021 03:17 PM
Updated by:
Contributors