Jump to content
dummzeuch

Log4J in Embarcadero License Server

Recommended Posts

I just checked our Linux servers for Java programs using Log4J. One that was found, was the Embarcadero License Server.

It uses log4j-1.2.15.jar:

 

/opt/Embarcadero/ELC5.33/ReportingEngine/lib/log4j-1.2.15.jar.

 

Now the question is: Is this version affected?

 

According to various sources, the affected versions are 2.0-beta9 to 2.14.1, so that would mean the version used in ELC is not affected because it is so ancient.

 

Unfortunately there is another view on this:

Quote

Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

 

Source: https://logging.apache.org/log4j/2.x/security.html

It's after August 2015, so at least the Apache Foundation has not checked the 1.x versions for this vulnerability.

 

I have no idea when the vulnerable functionality was introduced. It might have been during development of Log4J2 so version 1.x would not be affected.

 

Does anybody else have information about this? Did you maybe already hear from Embarcadero?

 

@Moderators: Feel free to move this post to a different section if you think it does not belong here.

Edited by dummzeuch

Share this post


Link to post

According this posting, Log4J 1.x might also be vulnerable but the risk is much lower.

 

Also, of course, you should be safe as long as you don't expose the ELC to the Internet.

(And who in their right mind would do that?)

Share this post


Link to post

You should raise this with EMBT. We are doing a thorough investigation to close all the log4j holes we can find, and there have been a few surprises.

 

I don't do much Java related stuff, but if you use SmartBear ReadyAPI, there is an update out with a fix.

If you have a lot of .jar files, have a look at https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html and the Syft and Grype tools.

 

Onsite Jira and Confluence can be exposed if custom logging has been turned on: https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×