Rocket U2 | UniVerse & UniData

 View Only

MV Platform Vulnerability Clarification (UPDATED 1/12/2022)

  • 1.  MV Platform Vulnerability Clarification (UPDATED 1/12/2022)

    ROCKETEER
    Posted 12-17-2021 12:47
    Edited by David Andrews 05-10-2022 06:20

    Apache Log4j vulnerability (CVE-2021-44228) - Critical

    As the Apache Log4j vulnerability (CVE-2021-44228) was disclosed on Dec 09, 2021, your MV teams have been actively monitoring the issue and assessing its impact on the MV products. 

     

    The following MV products have been impacted. Product impact and next steps are detailed below.

     

    MV BASIC for VS Code:

    MV BASIC for VS Code v1.3.0 and prior contains and uses a version of Log4j that can potentially be exploited by this vulnerability.  We have therefore upgraded the Log4j version in MVVS 1.3.2 to v2.16.0 to resolve this issue and advise that you to upgrade by downloading the latest extension on the Visual Studio Code Marketplace.

     

    NOT IMPACTED:

    The following MV products DO NOT contain any version of Log4j, OR contain a version of Log4j that is not impacted by the vulnerability:

     

    MV Application Servers:

    UniVerse

    UniData

    D3

    OpenQM

    mvBase

    jBASE

     

    Server Tools:

    U2 DB Tools

    U2 Common Clients

    U2 Toolkit for .NET

     

    Tools:

    MVX

    MVIS

    MVConnect

    MVS Toolkit

    U2 Web DE

    SBXA

    wIntegrate

    AccuTerm

    MVDashboard

     

     

    Spring Boot logback vulnerability (CVE-2021-42550) - Medium

    The Spring Boot logback issue is completely different than the above critical issue. 

    As our security team was monitoring the Log4j vulnerability they were notified of an action from Spring to pick up logback version 1.2.8, LOGBACK-1591.

    This vulnerability is at a much lower security risk level than the Log4j vulnerabilty (http://logback.qos.ch/news.html).  The Spring Boot logback vulnerability was reported to the National Vulnerability database as CVE-2021-42550 and affects versions prior to 1.2.8.

    The following MV products/versions have been impacted by CVE-2021-42550. Product impact and next steps are detailed below.

    MVX v1.1.0

    MVIS v1.3.0

    U2 DBTools v4.4.1

    Remediation

    All products have been removed from hold status in RBC.

    MVX v.1.1.0:

     v1.1.1 was released including jogback v1.2.8

    MVIS v1.3.0 and U2 DBTools v4.4.1:

    After technical review of MVIS and U2 DBTools we determined that the vulnerability risk is very low.  Furthermore, the listed products do not meet the criteria for exploit as published in the logback news web page. As a precaution, we will upgrade to version 1.2.9 (or later) of logback in the next maintenance release of MVIS and U2 DBTools.

    Please feel free to reach out to support should you have any questions or concerns regarding any of the MV products and the security vulnerabilities.



    ------------------------------
    Christine Rizza
    MV Product Manager
    Rocket Software
    crizza@rocketsoftware.com
    ------------------------------