Faq log4j jar security issue: Difference between revisions
No edit summary |
|||
Line 7: | Line 7: | ||
All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. [https://logging.apache.org/log4j/2.x/security.html Apache Log4j Security Vulnerabilities] states "Log4j 1.x is not impacted by this vulnerability.". | All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. [https://logging.apache.org/log4j/2.x/security.html Apache Log4j Security Vulnerabilities] states "Log4j 1.x is not impacted by this vulnerability.". | ||
The MathWorks response can be found [https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab here]. | |||
The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j. | The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j. |
Latest revision as of 13:38, 24 January 2024
Issue:
What should I do about the log4j.jar security issue "Log4Shell" discovered in December 2021? See Wikipedia: Log4Shell
Possible Solutions:
All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. Apache Log4j Security Vulnerabilities states "Log4j 1.x is not impacted by this vulnerability.".
The MathWorks response can be found here.
The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.
PLS_Toolbox
If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b:
C:\Program Files\MATLAB\R2020b\java\jarext
If you have installed the Matlab Runtime separately then it will be installed there, for example at: C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext
Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.
Solo, Solo+MIA, Solo_Predictor
For our compiled products Solo (and variants) and Solo_Predictor, this log4j.jar file will found under the folder structure for the MATLAB Runtime engine, the location of which is operating system dependent. The file should be listed by the appropriate search tool and our limited testing thus far indicates no issues with Solo or Solo_Predictor. The default Windows location for compiled products (Solo, Solo+MIA, or Solo_Predictor) is, for example Solo_Predictor:
C:\Program Files\EVRI\Solo_Predictor\application\java\jarext\log4j.jar
For Solo or Solo+MIA version 9.0:
C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar
We recommend that you review this release from The Mathworks on this issue and contact them with any additional queries.
Finally, note that Log4j version 1 is old and has other vulnerabilities so we recommend that you remove the Matlab-related log4j.jar file. If you must keep the log4j.jar file because your software depends on it then it is recommended you switch to log4j version 2 and follow the suggestions as described for example at: Patch and Mitigation, or the first link above.
Still having problems? Please contact our helpdesk at helpdesk@eigenvector.com