- Revenera Community
- :
- Revenera Company
- :
- Revenera Company News
- :
- Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228)
Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228)
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
UPDATE: Revenera’s response to Apache Log4j vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44228, and CVE-2021-4104
(as of 14-Jan 10:20 CST)
A critical vulnerability in Apache Log4j 2 impacting versions from 2.0-beta9 to 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.
Revenera is expanding its product impact assessment and mitigation information to include CVE-2021-45105, CVE-2021-45046, CVE-2021-44228, and CVE-2021-4104. This notice provides currently available information about the potential impact of these vulnerabilities on Revenera products.
NOTE: Be advised this is an ongoing assessment. Information about related and subsequent Log4j CVEs not listed below may be found in the product's respective knowledge base. |
Information about Flexera products: Flexera’s response to Apache Log4j remote code execution vulnerability CVE-2021-4104, CVE-2021-45046 and CVE-2021-44228
Revenera Product Assessment
Product |
Potential Exposure to CVE-2021-44228 |
Potential Exposure to CVE-2021-45105, CVE-2021-45046 |
Potential Exposure to CVE-2021-4104 |
Potentially Exposed Components or Versions |
Fixed Version |
Mitigation |
InstallShield |
No |
No |
No |
N/A |
N/A |
|
InstallAnywhere |
No |
No |
No |
N/A |
N/A |
|
Code Insight |
No |
No |
No |
N/A |
N/A |
|
Code Aware (independent of Code Insight) |
No |
No |
No |
N/A |
N/A |
|
Yes |
Yes |
Yes |
Revenera managed services:
|
CVE-2021-44228, CVE-2021-45105, CVE-2021-45046, CVE-2021-4104: 2022.02 |
UAT: Upgraded to Log4j 2.17.0 (22-Dec) PROD: Upgraded to Log4j 2.17.0 (23-Dec) |
|
No |
No |
Yes |
Core module |
CVE-2021-4104: 2022.02 |
|
|
Yes |
Yes |
Yes |
Core module |
CVE-2021-44228, CVE-2021-45105, CVE-2021-45046: 2021 R1 Hotfix CVE-2021-4104: Pending |
||
Yes |
Yes |
Yes |
FlexNet License Server Manager (FLSM) |
CVE-2021-44228, CVE-2021-45105, CVE-2021-45046: 2021.12.2 (or later) |
||
Yes |
Yes |
No |
2021 R4 (11.18.3.0), only when using lmadmin alerts example code |
2021 R4 SP1 (11.18.3.1) |
||
FlexNet Connect |
No |
No |
No |
N/A |
N/A |
|
Usage Intelligence |
Yes |
Yes |
No |
Java SDK |
5.6.1 |
|
Compliance Intelligence |
Yes |
Yes |
No |
RDS (Revenera managed service) |
PROD: Upgraded to Log4j 2.17.0 (20-Dec) |
N/A |
Related Information:
Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html
CVE-2021-44228:
- CVE Definitions: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Expanded CVE Definitions: https://www.cve.org/CVERecord?id=CVE-2021-44228
CVE-2021-4104:
- CVE Definitions: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
- Expanded CVE Definitions: https://www.cve.org/CVERecord?id=CVE-2021-4104
CVE-2021-45046:
- CVE Definitions: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- Expanded CVE Definitions: https://www.cve.org/CVERecord?id=CVE-2021-45046
CVE-2021-45105:
- CVE Definitions: https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- Expanded CVE Definitions: https://www.cve.org/CVERecord?id=CVE-2021-45105
Change Log
2022-01-14 10:20 CST: Updated FNO impact assessment and added index link to related CVEs.
2022-01-10 12:28 CST: Added KB link to FlexNet Publisher Log4j index.
2022-01-10 11:38 CST: Added note on where to find info on subsequent KBs and KB link to FlexNet Embedded Log4j index.
2021-12-30 16:01 CST: FlexNet Operations 2021 R1 On-Premises hotfix announced.
2021-12-30 15:27 CST: Updated Code Aware product assessment to 'No' for listed vulnerabilities.
2021-12-30 13:19 CST: Usage Intelligence 5.6.1 fix available. Added download link.
2021-12-28 13:29 CST: Added impact KB article for FlexNet Connect.
2021-12-24 20:20 CST: FLSM patch 2021.12.2 available on PLC.
2021-12-24 20:08 CST: Updated Code Insight product assessment.
2021-12-23 16:20 CST: Added target date for FLSM patch
2021-12-23 15:48 CST: Product assessment updates for (InstallShield, InstallAnywhere, Code Insight, FlexNet Operations Cloud LLM, FlexNet Publisher, FlexNet Connect, and Compliance Intelligence). FlexNet Operations Cloud ALM components upgraded to Log4j 2.17.0.
2021-12-22 11:45 CST: Updated FlexNet Operations Cloud ALM with deployed fix in UAT. Open to customer testing. Fix deployment to Production pending.
2021-12-20 13:30 CST: Updated Compliance Intelligence Fix Version column.
2021-12-17 13:12 CST: Updated KB article titles under Mitigation column to the respective CVE.
2021-12-17 11:50 CST: Security Advisory updated for CVE-2021-4104 and CVE-2021-45046. Assessments pending.
2021-12-16 10:25 CST: Updated FlexNet Operations On-Premises with mitigation steps in linked KB Article.
2021-12-16 9:14 CST: Updated InstallShield and InstallAnywhere potential exposure to 'No' based on Code Insight assessment.
2021-12-15 13:57 CST: Updated Standalone Code Insight potential exposure to 'No'. Linked KB article mitigation steps.
2021-12-15 10:22 CST: Linked mitigation KB article to InstallShield and InstallAnywhere assessments.
2021-12-14 14:30 CST: Updated FlexNet Connect potential exposure to 'No'.
2021-12-14 12:12 CST: Updated Code Insight potential exposure to 'No'. Published additional mitigation steps in linked KB article.
2021-12-14 10:35 CST: Added link to FlexNet Publisher mitigation steps KB article.
2021-12-13 23:17 CST: Added exposure clarification for InstallShield and updated mitigation steps.
2021-12-13 23:04 CST: Added exposure clarification for InstallAnywhere.
2021-12-13 18:31 CST: Initial Revenera product assessment details published.
2021-12-11 19:16 CST: Initial security advisory.
INITIAL SECURITY ADVISORY (Dec 11, 2021 05:16 PM):
As you may be aware, a vulnerability was discovered in the Log4j Java library, potentially allowing attackers to take control of systems and execute malicious commands. For more detailed information about the vulnerability, please see the following resources:
- CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2021-44228
- Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html
Revenera is actively working with our product teams to review Software Composition Analysis scans of our products to determine the impact, if any, on our solutions. We appreciate your patience and understanding, and we will provide an update once more information about affected products and remediation plans are confirmed.