Feedback
Did this article resolve your question/issue?

   

Article

UPDATED: Is OpenEdge vulnerable to CVE-2021-44228 (Log4j)?

« Go Back

Information

 
TitleUPDATED: Is OpenEdge vulnerable to CVE-2021-44228 (Log4j)?
URL NameIs-OpenEdge-vulnerable-to-CVE-2021-44228-Log4j
Article Number000206958
Information
The following OpenEdge components are impacted and require immediate mitigation:
  • 11.7.11 Classic Rest Adapter

  • 11.7.11 “import-export” Utility (configutil)

  • OpenEdge Command Center (OECC) Version 1:
    NOTE: The OpenEdge Command Center is part of a separate installer whereas 11.7.11 components are part of the OpenEdge product installation.

  • As part of continued guidance to OpenEdge customers on the CVE-2021-44228 vulnerability report, we would like to clarify that the log4j.2.14.1 dependency with this vulnerability was introduced in our latest OpenEdge Update only, OE Update Version 11.7.11.

  • If you are using an earlier version of 11.7.x (where x=0-10), you have no exposure through the Classic REST Adapter or the OE import-export utility (configutil). In those versions, you may find log4j dependencies with log4j.1.x versioning. Log4j.1.x versions are not affected and therefore all earlier 11.7.x versions are not affected.

  • Retired versions of OpenEdge make use of log4j version 2 jar files.

Mitigation Action:

Affected customers should take immediate action to mitigate the vulnerability by setting the log4j2.formatMsgNoLookups system property to true. This can be performed in one of two ways:
 
  • Setting the system property directly:      log4j2.formatMsgNoLookups=true    
  • Setting the JVM parameter:                -Dlog4j2.formatMsgNoLookups=true
All other components of OpenEdge 11.7.x are not at risk as they depend upon log4j-1.2.x jars which are not affected. Refer to article 000207443 Log4j 1.2.x Mitigations for OpenEdge for information about log4j version 1 vulnerabilities.  

OpenEdge 12.x LTS and non-LTS product components are NOT affected. Java logging in PAS for  OpenEdge 12.x uses the logback logging library instead of log4j and is therefore not vulnerable. 
The OEM and PDSOE components of OpenEdge 12.x utilize log4j version 1.  
While log4j version 1 is not exposed to the same log4shell vulnerabilities reported in log4j version 2, please refer to article 000207443
Log4j 1.2.x Mitigations for OpenEdge for more information about log4j version 1 vulnerabilities.  
In all cases where older OpenEdge releases are being deployed, please check the Product Availability Guide to ensure you are on a supported version of OpenEdge.


If you are scanning supported OpenEdge installations for log4j dependencies, you may find the following files:
  • log4j-1.2.x jars
    • log4j versions 1.2.x are not affected by the vulnerability
       
  • log4j-api, log4j-to-slf4 or log4j-jul
    • None of these jar files are affected by the vulnerability
Only “log4j-core-*” jars in log4j version 2 are vulnerable to the full suite of known log4shell vulnerabilities:
•    CVE-2021-44228
•    CVE-2021-45046
•    CVE-2021-45105
•    CVE-2021-44832

Refer to article 000207443
Log4j 1.2.x Mitigations for OpenEdge for information about log4j version 1 vulnerabilities where appropriate.
 
 
Additional Information
EnvironmentOpenEdge 11.7.11
Last Modified Date2/3/2022 6:23 PM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.