cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228)

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin
6 45 23.7K

UPDATE: Revenera’s response to Apache Log4j vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44228, and CVE-2021-4104

(as of 14-Jan 10:20 CST)

A critical vulnerability in Apache Log4j 2 impacting versions from 2.0-beta9 to 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.

Revenera is expanding its product impact assessment and mitigation information to include CVE-2021-45105, CVE-2021-45046CVE-2021-44228, and CVE-2021-4104. This notice provides currently available information about the potential impact of these vulnerabilities on Revenera products. 

 

NOTE: Be advised this is an ongoing assessment. Information about related and subsequent Log4j CVEs not listed below may be found in the product's respective knowledge base. 

 

Information about Flexera products: Flexera’s response to Apache Log4j remote code execution vulnerability CVE-2021-4104, CVE-2021-45046 and CVE-2021-44228

Revenera Product Assessment

Product

Potential Exposure to CVE-2021-44228

Potential Exposure to CVE-2021-45105, CVE-2021-45046

Potential Exposure to CVE-2021-4104

Potentially Exposed Components or Versions

Fixed Version

Mitigation

InstallShield

No

No

No

N/A

N/A

KB Article

InstallAnywhere

No

No

No

N/A

N/A

KB Article

Code Insight

No

No

No

N/A

N/A

KB Article

Code Aware (independent of Code Insight)

No

No

No

N/A

N/A

KB Article

FlexNet Operations Cloud ALM

Yes

Yes

Yes

Revenera managed services:

  • Core module
  • Updates and Insights
  • Data Access APIs

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046, CVE-2021-4104: 2022.02

UAT: Upgraded to Log4j 2.17.0 (22-Dec)

PROD: Upgraded to Log4j 2.17.0 (23-Dec)

FlexNet Operations Cloud LLM

No

No

Yes

Core module

CVE-2021-4104: 2022.02

 

FlexNet Operations On-Premises

Yes

Yes

Yes

Core module

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046: 2021 R1 Hotfix

CVE-2021-4104: Pending

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

FlexNet Embedded

Yes

Yes

Yes

FlexNet License Server Manager (FLSM)

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046: 2021.12.2 (or later)

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

CVE-2021-4104 

FlexNet Publisher

Yes

Yes

No

2021 R4 (11.18.3.0), only when using lmadmin alerts example code

2021 R4 SP1 (11.18.3.1)

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

FlexNet Connect

No

No

No

N/A

N/A

KB Article

Usage Intelligence

Yes

Yes

No

Java SDK

5.6.1

CVE-2021-44228, CVE-2021-45105, CVE-2021-45046

Compliance Intelligence

Yes

Yes

No

RDS (Revenera managed service)

PROD: Upgraded to Log4j 2.17.0 (20-Dec)

N/A

 

Related Information:

Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html

CVE-2021-44228:

CVE-2021-4104:

CVE-2021-45046:

CVE-2021-45105:

Change Log

2022-01-14 10:20 CST: Updated FNO impact assessment and added index link to related CVEs.

2022-01-10 12:28 CST: Added KB link to FlexNet Publisher Log4j index.

2022-01-10 11:38 CST: Added note on where to find info on subsequent KBs and KB link to FlexNet Embedded Log4j index.

2021-12-30 16:01 CST: FlexNet Operations 2021 R1 On-Premises hotfix announced.

2021-12-30 15:27 CST: Updated Code Aware product assessment to 'No' for listed vulnerabilities. 

2021-12-30 13:19 CST: Usage Intelligence 5.6.1 fix available. Added download link. 

2021-12-28 13:29 CST: Added impact KB article for FlexNet Connect.

2021-12-24 20:20 CST: FLSM patch 2021.12.2 available on PLC. 

2021-12-24 20:08 CST: Updated Code Insight product assessment. 

2021-12-23 16:20 CST: Added target date for FLSM patch 

2021-12-23 15:48 CST: Product assessment updates for (InstallShield, InstallAnywhere, Code Insight, FlexNet Operations Cloud LLM, FlexNet Publisher, FlexNet Connect, and Compliance Intelligence). FlexNet Operations Cloud ALM components upgraded to Log4j 2.17.0. 

2021-12-22 ‎11:45 CST: Updated FlexNet Operations Cloud ALM with deployed fix in UAT. Open to customer testing. Fix deployment to Production pending.

2021-12-20 ‎13:30 CST: Updated Compliance Intelligence Fix Version column.

2021-12-17 13:12 CST: Updated KB article titles under Mitigation column to the respective CVE.

2021-12-17 11:50 CST: Security Advisory updated for CVE-2021-4104 and CVE-2021-45046. Assessments pending.

2021-12-16 10:25 CST: Updated FlexNet Operations On-Premises with mitigation steps in linked KB Article.

2021-12-16 9:14 CST: Updated InstallShield and InstallAnywhere potential exposure to 'No' based on Code Insight assessment.

2021-12-15 13:57 CST: Updated Standalone Code Insight potential exposure to 'No'. Linked KB article mitigation steps.

2021-12-15 10:22 CST: Linked mitigation KB article to InstallShield and InstallAnywhere assessments.

2021-12-14 14:30 CST: Updated FlexNet Connect potential exposure to 'No'.

2021-12-14 12:12 CST: Updated Code Insight potential exposure to 'No'. Published additional mitigation steps in linked KB article.

2021-12-14 10:35 CST: Added link to FlexNet Publisher mitigation steps KB article.

2021-12-13 23:17 CST: Added exposure clarification for InstallShield and updated mitigation steps.

2021-12-13 23:04 CST: Added exposure clarification for InstallAnywhere. 

2021-12-13 18:31 CST: Initial Revenera product assessment details published. 

2021-12-11 19:16 CST: Initial security advisory.


INITIAL SECURITY ADVISORY (Dec 11, 2021 05:16 PM):

As you may be aware, a vulnerability was discovered in the Log4j Java library, potentially allowing attackers to take control of systems and execute malicious commands. For more detailed information about the vulnerability, please see the following resources:

Revenera is actively working with our product teams to review Software Composition Analysis scans of our products to determine the impact, if any, on our solutions. We appreciate your patience and understanding, and we will provide an update once more information about affected products and remediation plans are confirmed.

45 Comments