Faq log4j jar security issue: Difference between revisions

From Eigenvector Research Documentation Wiki
Jump to navigation Jump to search
 
(4 intermediate revisions by 2 users not shown)
Line 6: Line 6:
===Possible Solutions:===
===Possible Solutions:===


All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. However, log4j version 1 is old and has other vulnerabilities so we recommend that you remove the Matlab-related log4j.jar file. If you must keep the log4j.jar file because your software depends on it then it is recommended you switch to log4j version 2 and follow the suggestions as described for example at:
All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. [https://logging.apache.org/log4j/2.x/security.html Apache Log4j Security Vulnerabilities] states "Log4j 1.x is not impacted by this vulnerability.".  
[https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html Patch and Mitigation].  
 
The MathWorks response can be found [https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab here].


The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.
The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.


If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b: C:\Program Files\MATLAB\R2020b\java\jarext  
====PLS_Toolbox====
If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b:  
  C:\Program Files\MATLAB\R2020b\java\jarext  
 
If you have installed the Matlab Runtime separately then it will be installed there, for example at:
C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext
 
Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.
Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.


====Solo, Solo+MIA, Solo_Predictor====
For our compiled products Solo (and variants) and Solo_Predictor, this log4j.jar file will found under the folder structure for the MATLAB Runtime engine, the location of which is operating system dependent. The file should be listed by the appropriate search tool and our limited testing thus far indicates no issues with Solo or Solo_Predictor. The default Windows location for compiled products (Solo, Solo+MIA, or Solo_Predictor) is, for example Solo_Predictor:
For our compiled products Solo (and variants) and Solo_Predictor, this log4j.jar file will found under the folder structure for the MATLAB Runtime engine, the location of which is operating system dependent. The file should be listed by the appropriate search tool and our limited testing thus far indicates no issues with Solo or Solo_Predictor. The default Windows location for compiled products (Solo, Solo+MIA, or Solo_Predictor) is, for example Solo_Predictor:
   C:\Program Files\EVRI\Solo_Predictor\application\java\jarext\log4j.jar
   C:\Program Files\EVRI\Solo_Predictor\application\java\jarext\log4j.jar
Line 19: Line 27:
   C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar
   C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar


We recommend that you contact The Mathworks regarding this issue to get their official response.
We recommend that you review this [https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf release] from The Mathworks on this issue and contact them with any additional queries.
 
Finally, note that Log4j version 1 is old and has other vulnerabilities so we recommend that you remove the Matlab-related log4j.jar file. If you must keep the log4j.jar file because your software depends on it then it is recommended you switch to log4j version 2 and follow the suggestions as described for example at:
[https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html Patch and Mitigation], or the first link above.  





Latest revision as of 13:38, 24 January 2024

Issue:

What should I do about the log4j.jar security issue "Log4Shell" discovered in December 2021? See Wikipedia: Log4Shell

Possible Solutions:

All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. Apache Log4j Security Vulnerabilities states "Log4j 1.x is not impacted by this vulnerability.".

The MathWorks response can be found here.

The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.

PLS_Toolbox

If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b:

 C:\Program Files\MATLAB\R2020b\java\jarext 

If you have installed the Matlab Runtime separately then it will be installed there, for example at: C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext

Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.

Solo, Solo+MIA, Solo_Predictor

For our compiled products Solo (and variants) and Solo_Predictor, this log4j.jar file will found under the folder structure for the MATLAB Runtime engine, the location of which is operating system dependent. The file should be listed by the appropriate search tool and our limited testing thus far indicates no issues with Solo or Solo_Predictor. The default Windows location for compiled products (Solo, Solo+MIA, or Solo_Predictor) is, for example Solo_Predictor:

 C:\Program Files\EVRI\Solo_Predictor\application\java\jarext\log4j.jar

For Solo or Solo+MIA version 9.0:

 C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar

We recommend that you review this release from The Mathworks on this issue and contact them with any additional queries.

Finally, note that Log4j version 1 is old and has other vulnerabilities so we recommend that you remove the Matlab-related log4j.jar file. If you must keep the log4j.jar file because your software depends on it then it is recommended you switch to log4j version 2 and follow the suggestions as described for example at: Patch and Mitigation, or the first link above.


Still having problems? Please contact our helpdesk at helpdesk@eigenvector.com