dummzeuch 1505 Posted December 14, 2021 (edited) I just checked our Linux servers for Java programs using Log4J. One that was found, was the Embarcadero License Server. It uses log4j-1.2.15.jar: /opt/Embarcadero/ELC5.33/ReportingEngine/lib/log4j-1.2.15.jar. Now the question is: Is this version affected? According to various sources, the affected versions are 2.0-beta9 to 2.14.1, so that would mean the version used in ELC is not affected because it is so ancient. Unfortunately there is another view on this: Quote Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes. Source: https://logging.apache.org/log4j/2.x/security.html It's after August 2015, so at least the Apache Foundation has not checked the 1.x versions for this vulnerability. I have no idea when the vulnerable functionality was introduced. It might have been during development of Log4J2 so version 1.x would not be affected. Does anybody else have information about this? Did you maybe already hear from Embarcadero? @Moderators: Feel free to move this post to a different section if you think it does not belong here. Edited December 14, 2021 by dummzeuch Share this post Link to post
dummzeuch 1505 Posted December 14, 2021 According this posting, Log4J 1.x might also be vulnerable but the risk is much lower. Also, of course, you should be safe as long as you don't expose the ELC to the Internet. (And who in their right mind would do that?) Share this post Link to post
Lars Fosdal 1792 Posted December 14, 2021 You should raise this with EMBT. We are doing a thorough investigation to close all the log4j holes we can find, and there have been a few surprises. I don't do much Java related stuff, but if you use SmartBear ReadyAPI, there is an update out with a fix. If you have a lot of .jar files, have a look at https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html and the Syft and Grype tools. Onsite Jira and Confluence can be exposed if custom logging has been turned on: https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
