Apache Log4j vulnerability (CVE-2021-44228) - Critical
As the Apache Log4j vulnerability (CVE-2021-44228) was disclosed on Dec 09, 2021, your MV teams have been actively monitoring the issue and assessing its impact on the MV products.
The following MV products have been impacted. Product impact and next steps are detailed below.
MV BASIC for VS Code:
MV BASIC for VS Code v1.3.0 and prior contains and uses a version of Log4j that can potentially be exploited by this vulnerability. We have therefore upgraded the Log4j version in MVVS 1.3.2 to v2.16.0 to resolve this issue and advise that you to upgrade by downloading the latest extension on the Visual Studio Code Marketplace.
NOT IMPACTED:
The following MV products DO NOT contain any version of Log4j, OR contain a version of Log4j that is not impacted by the vulnerability:
MV Application Servers:
UniVerse
UniData
D3
OpenQM
mvBase
jBASE
Server Tools:
U2 DB Tools
U2 Common Clients
U2 Toolkit for .NET
Tools:
MVX
MVIS
MVConnect
MVS Toolkit
U2 Web DE
SBXA
wIntegrate
AccuTerm
MVDashboard
Spring Boot logback vulnerability (CVE-2021-42550) - Medium
The Spring Boot logback issue is completely different than the above critical issue.
As our security team was monitoring the Log4j vulnerability they were notified of an action from Spring to pick up logback version 1.2.8, LOGBACK-1591.
This vulnerability is at a much lower security risk level than the Log4j vulnerabilty (http://logback.qos.ch/news.html). The Spring Boot logback vulnerability was reported to the National Vulnerability database as CVE-2021-42550 and affects versions prior to 1.2.8.
The following MV products/versions have been impacted by CVE-2021-42550. Product impact and next steps are detailed below.
MVX v1.1.0
MVIS v1.3.0
U2 DBTools v4.4.1
Remediation
All products have been removed from hold status in RBC.
MVX v.1.1.0:
v1.1.1 was released including jogback v1.2.8
MVIS v1.3.0 and U2 DBTools v4.4.1:
After technical review of MVIS and U2 DBTools we determined that the vulnerability risk is very low. Furthermore, the listed products do not meet the criteria for exploit as published in the logback news web page. As a precaution, we will upgrade to version 1.2.9 (or later) of logback in the next maintenance release of MVIS and U2 DBTools.
Please feel free to reach out to support should you have any questions or concerns regarding any of the MV products and the security vulnerabilities.
------------------------------
Christine Rizza
MV Product Manager
Rocket Software
crizza@rocketsoftware.com
------------------------------