Apache Log4J Vulnerability

Everything you need to know about our software products and Apache Log4J.

A security vulnerability regarding the Apache Log4j Java library has been communicated. Apache Log4j is affected by this vulnerability in versions 2.0 to 2.14.1. The vulnerability has been resolved with version 2.17.0.

As a trusted partner of our customers, we officially inform you about the use of the Log4j library in the software products of .riess engineering.

We have analyzed all .riess engineering software products and replaced Apache Log4j Java library with the currently recommended version if applicable.

Project-specific or customer-specific developments are excluded from this analysis.

Relevance for .riess engineering / SAP software products

.riess engineering / SAP software products affected by this vulnerability

SAP Engineering Control Center interface to PTC Creo
.riess JsConverter
.riess Converter
.riess MigrationSuite
.riess Plugin for cenitCONNECT EnCo 6.1

.riess engineering / SAP software products not affected by this vulnerability

SAP product data management integration to PTC Windchill
SAP PLM Integration to Pro/ENGINEER and PTC Creo
.riess CopyAssistant

Availability of new versions

SAP software products available in SAP Software Download Center

SAP Engineering Control Center interface to PTC Creo

.riess engineering software products available at .riess

riess JsConverter
.riess Converter
.riess MigrationSuite

.riess engineering software products available at CENIT

.riess Plugin for cenitCONNECT EnCo 6.1

Notes and further ressources

Please regard the following updated notes in the SAP One Support Launchpad and SAP Wiki SCN:

Short-term mitigation measure

As a short-term mitigation measure recommended by the Log4j supplier:

Environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS should be set to true

Delete JndiLookup from the classpath [APA2021b]: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

_{Source: www.bsi.bund.de}

Back