Welcome Guest! Log in
Stambia versions 2.x, 3.x, S17, S18, S19 and S20 are reaching End of Support January, 15th, 2024. Please consider upgrading to the supported Semarchy xDI versions. See Global Policy Support and the Semarchy Documentation.

The Stambia User Community is moving to Semarchy! All the applicable resources have already been moved or are currently being moved to their new location. Read more…

General Home Blog

Security Notice - Log4J1 and Log4J2 CVEs [UPDATED]

    The Semarchy engineering team is monitoring - as part of the build & quality processes - Common Vulnerabilities and Exposures (CVEs) that impact libraries or third-party components shipped in the Semarchy/Stambia products.

    Multiple vulnerabilities affecting the Log4J2 (Log4J version 2) library, commonly used in applications for logging services, have been reported under the CVE-2021-44228, CVE-2021-45105, CVE-2021-44832, and CVE-2021-45046 references.

    Multiple vulnerabilities affecting the Log4J1 (Log4J version 1) library, commonly used in applications for logging services, have been reported under the CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307 references.

     

    The impact for each product is summarized below.

    • Designer
      • The Designer does not use Log4J for logging purposes. It is therefore not affected by the reported vulnerabilities.
    • Analytics
      • Analytics does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.
      • Analytics uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities. However, Analytics is not affected by these vulnerabilities.
    • Runtime
      • The Runtime does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.
      • The Runtime uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities that can be easily identified and mitigated.
    • Components
      • The only component shipping Log4J2 (Log4J version 2) is the ElasticSearch component, which is not affected by the CVEs (it is a transitive dependency not exposed to end-users).
        Although not affected, the ElasticSearch component has been upgraded in the Component Pack version 3.0.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.
        Although not affected, the ElasticSearch component will be upgraded in the next Component Pack minor version 3.1.0 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832. The product team is also considering backporting the change in a 3.0.x version.
    • License Server
      • The License Server product includes solely the API of the Apache Log4J2 library and not the implementations. It is therefore not affected by the vulnerabilities.
        Although not affected, the License Server has been upgraded in version 5.3.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.
        Although not affected, the License Server will be upgraded in the next minor version 5.4.0 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832. The product team is also considering backporting the change in a 5.3.x version.

     

    The attached Security Notice provides detailed information for all the reported vulnerabilities.

    Do not hesitate to contact our support team if you have additional questions or need further clarifications.