Skip to main content

Apache Log4j vulnerability (CVE-2021-44228) - Critical

As the Apache Log4j vulnerability (CVE-2021-44228) was disclosed on Dec 09, 2021, your MV teams have been actively monitoring the issue and assessing its impact on the MV products. 

 

The following MV products have been impacted. Product impact and next steps are detailed below.

 

MV BASIC for VS Code:

MV BASIC for VS Code v1.3.0 and prior contains and uses a version of Log4j that can potentially be exploited by this vulnerability.  We have therefore upgraded the Log4j version in MVVS 1.3.2 to v2.16.0 to resolve this issue and advise that you to upgrade by downloading the latest extension on the Visual Studio Code Marketplace.

 

NOT IMPACTED:

The following MV products DO NOT contain any version of Log4j, OR contain a version of Log4j that is not impacted by the vulnerability:

 

MV Application Servers:

UniVerse

UniData

D3

OpenQM

mvBase

jBASE

 

Server Tools:

U2 DB Tools

U2 Common Clients

U2 Toolkit for .NET

 

Tools:

MVX

MVIS

MVConnect

MVS Toolkit

U2 Web DE

SBXA

wIntegrate

AccuTerm

MVDashboard

 

 

Spring Boot logback vulnerability (CVE-2021-42550) - Medium

The Spring Boot logback issue is completely different than the above critical issue. 

As our security team was monitoring the Log4j vulnerability they were notified of an action from Spring to pick up logback version 1.2.8, LOGBACK-1591.

This vulnerability is at a much lower security risk level than the Log4j vulnerabilty (http://logback.qos.ch/news.html).  The Spring Boot logback vulnerability was reported to the National Vulnerability database as CVE-2021-42550 and affects versions prior to 1.2.8.

The following MV products/versions have been impacted by CVE-2021-42550. Product impact and next steps are detailed below.

MVX v1.1.0

MVIS v1.3.0

U2 DBTools v4.4.1

Remediation

All products have been removed from hold status in RBC.

MVX v.1.1.0:

 v1.1.1 was released including jogback v1.2.8

MVIS v1.3.0 and U2 DBTools v4.4.1:

After technical review of MVIS and U2 DBTools we determined that the vulnerability risk is very low.  Furthermore, the listed products do not meet the criteria for exploit as published in the logback news web page. As a precaution, we will upgrade to version 1.2.9 (or later) of logback in the next maintenance release of MVIS and U2 DBTools.

Please feel free to reach out to support should you have any questions or concerns regarding any of the MV products and the security vulnerabilities.



------------------------------
Christine Rizza
MV Product Manager
Rocket Software
crizza@rocketsoftware.com
------------------------------

Terms & ConditionsAccessibility statement