Apache Log4J Vulnerability
Everything you need to know about our software products and Apache Log4J.
A security vulnerability regarding the Apache Log4j Java library has been communicated. Apache Log4j is affected by this vulnerability in versions 2.0 to 2.14.1. The vulnerability has been resolved with version 2.17.0.
As a trusted partner of our customers, we officially inform you about the use of the Log4j library in the software products of .riess engineering.
We have analyzed all .riess engineering software products and replaced Apache Log4j Java library with the currently recommended version if applicable.
Project-specific or customer-specific developments are excluded from this analysis.
Relevance for .riess engineering / SAP software products
.riess engineering / SAP software products affected by this vulnerability
- SAP Engineering Control Center interface to PTC Creo
- .riess JsConverter
- .riess Converter
- .riess MigrationSuite
- .riess Plugin for cenitCONNECT EnCo 6.1
.riess engineering / SAP software products not affected by this vulnerability
- SAP product data management integration to PTC Windchill
- SAP PLM Integration to Pro/ENGINEER and PTC Creo
- .riess CopyAssistant
Availability of new versions
SAP software products available in SAP Software Download Center
- SAP Engineering Control Center interface to PTC Creo
.riess engineering software products available at .riess
- riess JsConverter
- .riess Converter
- .riess MigrationSuite
.riess engineering software products available at CENIT
- .riess Plugin for cenitCONNECT EnCo 6.1
Notes and further ressources
Please regard the following updated notes in the SAP One Support Launchpad and SAP Wiki SCN:
- 2112629 - ECTR interface to PTC Creo: Installation and patches
- 2382535 - SAP PDM Integration to PTC Windchill: Installation and patches
- 1451121 - HRE: SAP PLM integration for Pro/ENGINEER 3.2 – patches
- CVE-2021-44228, CVE-2021-45046 Apache Log4j 2 - Usage in SAP ECTR Interface to PTC Creo - Product Lifecycle Management - Community Wiki
Short-term mitigation measure
As a short-term mitigation measure recommended by the Log4j supplier:
- Environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS should be set to true
Or
- Delete JndiLookup from the classpath [APA2021b]: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Source: www.bsi.bund.de