Faq log4j jar security issue: Difference between revisions

From Eigenvector Research Documentation Wiki
Jump to navigation Jump to search
Line 1: Line 1:
===Issue:===
===Issue:===


What should I do about the log4j.jar security issue discovered in December 2021?
What should I do about the log4j.jar security issue "Log4Shell" discovered in December 2021?
See [https://en.wikipedia.org/wiki/Log4Shell Wikipedia: Log4Shell]
See [https://en.wikipedia.org/wiki/Log4Shell Wikipedia: Log4Shell]



Revision as of 17:01, 13 December 2021

Issue:

What should I do about the log4j.jar security issue "Log4Shell" discovered in December 2021? See Wikipedia: Log4Shell

Possible Solutions:

All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. We recommend that you remove the Matlab-related log4j.jar file immediately. If you must keep the log4j.jar file because your software depends on it then follow suggestions as described for example at: Patch and Mitigation

Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.

If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b: C:\Program Files\MATLAB\R2020b\java\jarext Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.

For our compiled products Solo (and variants) and Solo_Predictor, this log4j.jar file will found under the folder structure for the MATLAB Runtime engine, the location of which is operating system dependent. The file should be listed by the appropriate search tool and our limited testing thus far indicates no issues with Solo or Solo_Predictor. The default Windows location for compiled products (Solo, Solo+MIA, or Solo_Predictor) is, for example Solo_Predictor:

 C:\Program Files\EVRI\Solo_Predictor\application\java\jarext\log4j.jar

For Solo or Solo+MIA version 9.0:

 C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar

We recommend that you contact The Mathworks regarding this issue to get their official response.


Still having problems? Please contact our helpdesk at helpdesk@eigenvector.com