More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
Apache Log4j2 version <2.15.0 is a part of the following products in these versions:
CATIA Magic portfolio
- Magic Collaboration Studio (release 2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
- Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
- Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)
No Magic portfolio
- Teamwork Cloud (release 2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Cameo Collaborator for Teamwork Cloud (release 2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- MagicDraw (release 2021x Refresh1, 2021x Refresh2)
- Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
- Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)
Remediation
For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)
Option 1
- Download the latest log4j 2.15.0 patched version .
- Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.
Example:
- if found: log4j-core-2.11.2.jar
- then remove log4j-core-2.11.2.jar
- copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
- repeat for any other log4j 2.x file found.
See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.
Option 2
If you cannot upgrade log4j, you may add
-Dlog4j.formatMsgNoLookups=true
as a command line option or add
log4j.formatMsgNoLookups=true
to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.properties, csm.properties, cameoea.properties) on the classpath to prevent lookups in the log event message.
For collaboration tools (Magic Collaboration Studio 19.0 SP2 - 19.0 SP4, Cameo Collaborator for Teamwork Cloud 19.0 SP1-SP4, Teamwork Cloud 19. SP1 - SP4)
Option 1
Please add
-Dlog4j.formatMsgNoLookups=true
as a command line option or add
log4j.formatMsgNoLookups=true
to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.properties, csm.properties, cameoea.properties) on the classpath to prevent lookups in the log event message.
Option 2 (more complicated)
- Download the latest log4j 2.15.0 patched version .
- Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.
Example:
- if found: log4j-core-2.11.2.jar
- then remove log4j-core-2.11.2.jar
- copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
- repeat for any other log4j 2.x file found.
See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.
The following products and versions are NOT affected:
CATIA Magic portfolio
- Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
- Teamwork Cloud (release 19.0)
- Cameo Collaborator for Teamwork Cloud (release 19.0)
- MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)