Faq log4j jar security issue: Difference between revisions

From Eigenvector Research Documentation Wiki
Jump to navigation Jump to search
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
===Issue:===
===Issue:===


What should I do about the log4j.jar security issue discovered in December 2021?
What should I do about the log4j.jar security issue "Log4Shell" discovered in December 2021?
[https://en.wikipedia.org/wiki/Log4Shell Wikipedia]
See [https://en.wikipedia.org/wiki/Log4Shell Wikipedia: Log4Shell]


===Possible Solutions:===
===Possible Solutions:===


All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. We recommend that you remove the Matlab-related log4j.jar file immediately.
All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. However, log4j version 1 is old and has other vulnerabilities so we recommend that you remove the Matlab-related log4j.jar file. If you must keep the log4j.jar file because your software depends on it then it is recommended you switch to log4j version 2 and follow the suggestions as described for example at:
[https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html Patch and Mitigation].  


Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.
The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.
 
If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b:
  C:\Program Files\MATLAB\R2020b\java\jarext


If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b: C:\Program Files\MATLAB\R2020b\java\jarext
Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.
Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.


Line 18: Line 21:
   C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar
   C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar


We recommend that you contact The Mathworks regarding this issue to get their official response.
We recommend that you review this [https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf release] from The Mathworks on this issue and contact them with any additional queries.





Revision as of 08:14, 20 December 2021

Issue:

What should I do about the log4j.jar security issue "Log4Shell" discovered in December 2021? See Wikipedia: Log4Shell

Possible Solutions:

All of our products are based upon the MATLAB platform, and each installation of MATLAB includes a copy of the log4j.jar file. This instance of log4j is the older version 1, which does not have the Log4Shell vulnerability. However, log4j version 1 is old and has other vulnerabilities so we recommend that you remove the Matlab-related log4j.jar file. If you must keep the log4j.jar file because your software depends on it then it is recommended you switch to log4j version 2 and follow the suggestions as described for example at: Patch and Mitigation.

The presence of a log4j jar file on a computer does not imply a vulnerability. It is only when log4j is used on an exposed server that the vulnerability can be a problem. We do not use log4j in Eigenvector software. Our testing thus far indicates that removal of the Matab log4j.jar file will not affect EVRI software other than causing some error messages to appear upon the startup of MATLAB. PLS_Toolbox or compiled products (Solo, Solo+MIA, Solo_Predictor,...) should work normally as they do not depend on log4j.

If you are a PLS_Toolbox user, you will find this file starting from the top level MATLAB folder under topLevelMATLABfolder/java/jarext, for example if you are using Matlab R2020b:

 C:\Program Files\MATLAB\R2020b\java\jarext 

Note that under macOS and Linux, you will have to navigate inside of the application bundle for MATLAB under those platforms.

For our compiled products Solo (and variants) and Solo_Predictor, this log4j.jar file will found under the folder structure for the MATLAB Runtime engine, the location of which is operating system dependent. The file should be listed by the appropriate search tool and our limited testing thus far indicates no issues with Solo or Solo_Predictor. The default Windows location for compiled products (Solo, Solo+MIA, or Solo_Predictor) is, for example Solo_Predictor:

 C:\Program Files\EVRI\Solo_Predictor\application\java\jarext\log4j.jar

For Solo or Solo+MIA version 9.0:

 C:\Program Files\MATLAB\MATLAB Runtime\v99\java\jarext\log4j.jar

We recommend that you review this release from The Mathworks on this issue and contact them with any additional queries.


Still having problems? Please contact our helpdesk at helpdesk@eigenvector.com