Apache Log4j vulnerability (CVE-2021-44228) - Critical
As the Apache Log4j vulnerability (CVE-2021-44228) was disclosed on Dec 09, 2021, your MV teams have been actively monitoring the issue and assessing its impact on the MV products.
The following MV products have been impacted. Product impact and next steps are detailed below.
MV BASIC for VS Code:
MV BASIC for VS Code v1.3.0 and prior contains and uses a version of Log4j that can potentially be exploited by this vulnerability. We have therefore upgraded the Log4j version in MVVS 1.3.2 to v2.16.0 to resolve this issue and advise that you to upgrade by downloading the latest extension on the Visual Studio Code Marketplace.
The following MV products DO NOT contain any version of Log4j, OR contain a version of Log4j that is not impacted by the vulnerability:
MV Application Servers:
U2 DB Tools
U2 Common Clients
U2 Toolkit for .NET
U2 Web DE
Spring Boot logback vulnerability (CVE-2021-42550) - Medium
The Spring Boot logback issue is completely different than the above critical issue.
As our security team was monitoring the Log4j vulnerability they were notified of an action from Spring to pick up logback version 1.2.8, LOGBACK-1591.
This vulnerability is at a much lower security risk level than the Log4j vulnerabilty (http://logback.qos.ch/news.html). The Spring Boot logback vulnerability was reported to the National Vulnerability database as CVE-2021-42550 and affects versions prior to 1.2.8.
The following MV products/versions have been impacted by CVE-2021-42550. Product impact and next steps are detailed below.
U2 DBTools v4.4.1
All products have been removed from hold status in RBC.
v1.1.1 was released including jogback v1.2.8
MVIS v1.3.0 and U2 DBTools v4.4.1:
After technical review of MVIS and U2 DBTools we determined that the vulnerability risk is very low. Furthermore, the listed products do not meet the criteria for exploit as published in the logback news web page. As a precaution, we will upgrade to version 1.2.9 (or later) of logback in the next maintenance release of MVIS and U2 DBTools.
Please feel free to reach out to support should you have any questions or concerns regarding any of the MV products and the security vulnerabilities.
MV Product Manager