Uniface User Forum

Hi.

As stated in CVE-2021-44228, and as it grows fast, there's a severe security risk alert on Log4J, an internal logging framework for Java.

Uniface is using Apache Tomcat and a java servlet for the WebApps (com.compuware.uniface.urd.WRDServlet).

Does anyone know if the Log4J framework is installed and if Uniface WebApp might be impacted ?

Jean-Marc

------------------------------
Jean-Marc Salis
Mp Services
Montauban Cedex FR
------------------------------

Uniface 9.7 and 10 is not affected by the log4j vulnerability, since it is not provided with the Uniface installation (and that also applies to the included Tomcat version). Older versions of Uniface (<= 9.6), however, had log4j version 1 included as part of Uniface Flow and Uniface View. But none of these old versions is supported anymore. For details see the Uniface Support Lifecycle.

We will issue an official statement here on the Rocket forum shortly.

It would of course be recommended to scan your application/Tomcat installation for either log4j in text files (possibly pointing to a custom configuration) or log4j*.jar files, in case the default installation of Uniface has been modified.

I hope this helps.

Daniel

------------------------------
Daniel Iseli
Principal Technical Support Engineer
Uniface Services
Rocket Software, Switzerland
------------------------------

Original Message:
Sent: 12-13-2021 09:40
From: Jean-Marc Salis
Subject: Is Uniface impacted by the Log4J security alert ?

Hi.

As stated in CVE-2021-44228, and as it grows fast, there's a severe security risk alert on Log4J, an internal logging framework for Java.

Uniface is using Apache Tomcat and a java servlet for the WebApps (com.compuware.uniface.urd.WRDServlet).

Does anyone know if the Log4J framework is installed and if Uniface WebApp might be impacted ?

Jean-Marc

------------------------------
Jean-Marc Salis
Mp Services
Montauban Cedex FR
------------------------------

Hi Daniel, 
How about Uniface Anywhere? 
Regards, 
Iain

------------------------------
Iain Sharp
Head of Technical Services
Pci Systems Ltd
Sheffield GB
------------------------------

Original Message:
Sent: 12-13-2021 10:58
From: Daniel Iseli
Subject: Is Uniface impacted by the Log4J security alert ?

Uniface 9.7 and 10 is not affected by the log4j vulnerability, since it is not provided with the Uniface installation (and that also applies to the included Tomcat version). Older versions of Uniface (<= 9.6), however, had log4j version 1 included as part of Uniface Flow and Uniface View. But none of these old versions is supported anymore. For details see the Uniface Support Lifecycle.

We will issue an official statement here on the Rocket forum shortly.

It would of course be recommended to scan your application/Tomcat installation for either log4j in text files (possibly pointing to a custom configuration) or log4j*.jar files, in case the default installation of Uniface has been modified.

I hope this helps.

Daniel

------------------------------
Daniel Iseli
Principal Technical Support Engineer
Uniface Services
Rocket Software, Switzerland

Original Message:
Sent: 12-13-2021 09:40
From: Jean-Marc Salis
Subject: Is Uniface impacted by the Log4J security alert ?

Hi.

As stated in CVE-2021-44228, and as it grows fast, there's a severe security risk alert on Log4J, an internal logging framework for Java.

Uniface is using Apache Tomcat and a java servlet for the WebApps (com.compuware.uniface.urd.WRDServlet).

Does anyone know if the Log4J framework is installed and if Uniface WebApp might be impacted ?

Jean-Marc

------------------------------
Jean-Marc Salis
Mp Services
Montauban Cedex FR
------------------------------

Hi Iain,

According to Nico, Uniface Anywhere does not use this either.

Regards,
Daniel

------------------------------
Daniel Iseli
Principal Technical Support Engineer
Uniface Services
Rocket Software, Switzerland
------------------------------

Original Message:
Sent: 12-14-2021 09:38
From: Iain Sharp
Subject: Is Uniface impacted by the Log4J security alert ?

Hi Daniel, 
How about Uniface Anywhere? 
Regards, 
Iain

------------------------------
Iain Sharp
Head of Technical Services
Pci Systems Ltd
Sheffield GB

Original Message:
Sent: 12-13-2021 10:58
From: Daniel Iseli
Subject: Is Uniface impacted by the Log4J security alert ?

Uniface 9.7 and 10 is not affected by the log4j vulnerability, since it is not provided with the Uniface installation (and that also applies to the included Tomcat version). Older versions of Uniface (<= 9.6), however, had log4j version 1 included as part of Uniface Flow and Uniface View. But none of these old versions is supported anymore. For details see the Uniface Support Lifecycle.

We will issue an official statement here on the Rocket forum shortly.

It would of course be recommended to scan your application/Tomcat installation for either log4j in text files (possibly pointing to a custom configuration) or log4j*.jar files, in case the default installation of Uniface has been modified.

I hope this helps.

Daniel

------------------------------
Daniel Iseli
Principal Technical Support Engineer
Uniface Services
Rocket Software, Switzerland

Original Message:
Sent: 12-13-2021 09:40
From: Jean-Marc Salis
Subject: Is Uniface impacted by the Log4J security alert ?

Hi.

As stated in CVE-2021-44228, and as it grows fast, there's a severe security risk alert on Log4J, an internal logging framework for Java.

Uniface is using Apache Tomcat and a java servlet for the WebApps (com.compuware.uniface.urd.WRDServlet).

Does anyone know if the Log4J framework is installed and if Uniface WebApp might be impacted ?

Jean-Marc

------------------------------
Jean-Marc Salis
Mp Services
Montauban Cedex FR
------------------------------

Thanks Daniel.

[signature_1350389360]<https: www.pcisystems.co.uk/="">

[cid:image002.png@01D7F101.DC319FE0]<https: image003.png@01D7F101.DC319FE0]<https:">www.facebook.com/pcisystems="">[cid:image003.png@01D7F101.DC319FE0]<https: twitter.com/pcisystems="">[cid:image004.png@01D7F101.DC319FE0]<https: www.linkedin.com/company/pci-systems-ltd/about/="">
Iain Sharp
Head of Technical Services
PCI Systems Ltd., Unit One Acorn Business Park
Woodseats Close, Sheffield S8 0TB
e: isharp@pcisystems.co.uk<mailto:isharp@pcisystems.co.uk> w: pcisystems.co.uk<https: www.pcisystems.co.uk/="">
t: +44 (0)114 201 2200
Our Partners
[signature_1506909922]<https: www.bssa.org.uk/="">[signature_1835764311]<https: www.nass.org.uk/="">[signature_637875992]<https: www.thecalmzone.net/="">

[cid:image008.jpg@01D7F101.DC319FE0]<https: pcisystems.co.uk/profit/="">

STATEMENT OF CONFIDENTIALITY: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately and do not copy, distribute or take any action in reliance upon it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

PCI Systems Limited is a limited company registered in England and Wales with registered number 03336338. Our registered office is at Unit One, Acorn Business Park, Woodseats Close, Sheffield, S8 0TB. Our VAT number is 691 3168 24. PCI Systems Limited is part of the Jonas Group of companies.


Original Message:
Sent: 12/14/2021 10:44:00 AM
From: Daniel Iseli
Subject: RE: Is Uniface impacted by the Log4J security alert ?

Hi Iain,

According to Nico, Uniface Anywhere does not use this either.

Regards,
Daniel

------------------------------
Daniel Iseli
Principal Technical Support Engineer
Uniface Services
Rocket Software, Switzerland
------------------------------

Original Message:
Sent: 12-14-2021 09:38
From: Iain Sharp
Subject: Is Uniface impacted by the Log4J security alert ?

Hi Daniel, 
How about Uniface Anywhere? 
Regards, 
Iain

------------------------------
Iain Sharp
Head of Technical Services
Pci Systems Ltd
Sheffield GB

Original Message:
Sent: 12-13-2021 10:58
From: Daniel Iseli
Subject: Is Uniface impacted by the Log4J security alert ?

Uniface 9.7 and 10 is not affected by the log4j vulnerability, since it is not provided with the Uniface installation (and that also applies to the included Tomcat version). Older versions of Uniface (<= 9.6), however, had log4j version 1 included as part of Uniface Flow and Uniface View. But none of these old versions is supported anymore. For details see the Uniface Support Lifecycle.

We will issue an official statement here on the Rocket forum shortly.

It would of course be recommended to scan your application/Tomcat installation for either log4j in text files (possibly pointing to a custom configuration) or log4j*.jar files, in case the default installation of Uniface has been modified.

I hope this helps.

Daniel

------------------------------
Daniel Iseli
Principal Technical Support Engineer
Uniface Services
Rocket Software, Switzerland

Original Message:
Sent: 12-13-2021 09:40
From: Jean-Marc Salis
Subject: Is Uniface impacted by the Log4J security alert ?

Hi.

As stated in CVE-2021-44228, and as it grows fast, there's a severe security risk alert on Log4J, an internal logging framework for Java.

Uniface is using Apache Tomcat and a java servlet for the WebApps (com.compuware.uniface.urd.WRDServlet).

Does anyone know if the Log4J framework is installed and if Uniface WebApp might be impacted ?

Jean-Marc

------------------------------
Jean-Marc Salis
Mp Services
Montauban Cedex FR
------------------------------</https:></https:></https:></https:></https:></mailto:isharp@pcisystems.co.uk></https:></https:></https:></https:>

Uniface Anywhere does not use Log4j. Therefore, it is not affected by this vulnerability.

------------------------------
Nico Peereboom
Rocket Internal - All Brands
Amsterdam CO NL
------------------------------

Original Message:
Sent: 12-14-2021 09:38
From: Iain Sharp
Subject: Is Uniface impacted by the Log4J security alert ?

Hi Daniel, 
How about Uniface Anywhere? 
Regards, 
Iain

------------------------------
Iain Sharp
Head of Technical Services
Pci Systems Ltd
Sheffield GB

Original Message:
Sent: 12-13-2021 10:58
From: Daniel Iseli
Subject: Is Uniface impacted by the Log4J security alert ?

Uniface 9.7 and 10 is not affected by the log4j vulnerability, since it is not provided with the Uniface installation (and that also applies to the included Tomcat version). Older versions of Uniface (<= 9.6), however, had log4j version 1 included as part of Uniface Flow and Uniface View. But none of these old versions is supported anymore. For details see the Uniface Support Lifecycle.

We will issue an official statement here on the Rocket forum shortly.

It would of course be recommended to scan your application/Tomcat installation for either log4j in text files (possibly pointing to a custom configuration) or log4j*.jar files, in case the default installation of Uniface has been modified.

I hope this helps.

Daniel

------------------------------
Daniel Iseli
Principal Technical Support Engineer
Uniface Services
Rocket Software, Switzerland

Original Message:
Sent: 12-13-2021 09:40
From: Jean-Marc Salis
Subject: Is Uniface impacted by the Log4J security alert ?

Hi.

As stated in CVE-2021-44228, and as it grows fast, there's a severe security risk alert on Log4J, an internal logging framework for Java.

Uniface is using Apache Tomcat and a java servlet for the WebApps (com.compuware.uniface.urd.WRDServlet).

Does anyone know if the Log4J framework is installed and if Uniface WebApp might be impacted ?

Jean-Marc

------------------------------
Jean-Marc Salis
Mp Services
Montauban Cedex FR
------------------------------