Vulnerability CVE-2021-44228 on the java lib log4j

[Olivier E.]

Dear Customers,


Today we received questions asking if Genero products are affected by the vulnerability CVE-2021-44228. (Java library Apache Log4j).

In regards to Genero version 3.10, 3.20, and 4.00. Only Genero Report Writer (GRW/GRE) uses this java library log4j. However, it uses version 1.2.17.

The vulnerability only occurs on log4j version 2.0.x -> 2.14.1 and has been fixed in 2.15.0.

Therefore, Genero products are not affected by this problem as the log4j library used is not within the effected version range.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://logging.apache.org/log4j/2.x/security.html



Four Js Development Tools

[Olivier E.]

Dear customers,



We have identified Genero Report Writer (GRW/GRE) as using the Java library log4j; however, it uses version 1.2.17 which does not fall within the effected version range (2.0beta9 -> 2.14.1).



If you read the page https://logging.apache.org/log4j/2.x/security.html, you will see in the mitigation section that "Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability."



Some of you reported that the log4j version 1.2.17 has also a moderate vulnerability CVE-2019-17571 about a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not.

GRE doesn't use SocketServer; therefore, GRE 3.10, 3.20, and 4.00 can be used, as they are not affected by this vulnerability.

As a result, there is no immediate need for Four Js to update log4j to the latest log4j version.

Four Js is evaluating the updates to the latest log4j version, to analyze the impact of the update on our products.

We will keep you informed of the evaluation.

Thank you,

Four Js Development Tools

[Olivier E.]

Dear customers,


We would like to provide you with an update about the Apache library log4j vulnerabilities https://logging.apache.org/log4j/2.x/.

As stated earlier, Genero Report Writer Engine (GRE package) is not affected by the security issues mentioned above as it uses log4j version 1.2.17.

Nevertheless, we are updating our products to use the latest maintained log4j libraries, as advised by Apache:

• GRE 4.00.05 now ships with the Apache fixed library log4j 2.17.1; it will be available next week.

• GRE 3.20.18 is now built with the Apache fixed library log4j 2.17.1; it is available now.

• GRE 3.10.xx has been updated with the Apache library log4j 2.12.4; it is scheduled to be released shortly.

If you are using any of these Genero Report Writer Engine (GRE) versions, you should update your product.


We will keep you informed of future developments.



Thank you,

Four Js Development Tools

[Mike D.]

Hello,

We have clients inquiring about the upgrade of log4j 1.x who are using GRE 3.10.xx. Is there a date when the new GRE 3.10 version, inclusive of the log4j 2.12.4 library, will be available? Thank you!

-Mike Davis

[Olivier E.]

Hello Mike,

The GRE version 3.10 packages are in the hand of the QA team. It is a question of days.
However, note that they will include log4j 2.17.1 and require Java 8 as we encountered technical issues with log4j 2.12.4 which we initially planned to include.

Olivier - Four Js Support

[Mike D.]

Great, thank you!

-Mike Davis

[Olivier E.]

Hello,

In order to close this topic about the Apache library log4j vulnerabilities https://logging.apache.org/log4j/2.x/, Four Js updated the log4j version to 2.17.1 and released on January 2022 the following Genero Report Writer versions:

• GRE version 4.00.05
• GRE version 3.20.18
• GRE version 3.10.17

We invite you to update your GRE installations to these versions.

Best regards,

Four Js Development Tools