The Semarchy engineering team is monitoring - as part of the build & quality processes - Common Vulnerabilities and Exposures (CVEs) that impact libraries or third-party components shipped in the Semarchy/Stambia products.
Multiple vulnerabilities affecting the Log4J2 (Log4J version 2) library, commonly used in applications for logging services, have been reported under the CVE-2021-44228, CVE-2021-45105, CVE-2021-44832, and CVE-2021-45046 references.
The Designer does not use Log4J for logging purposes. It is therefore not affected by the reported vulnerabilities.
Analytics
Analytics does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.
Analytics uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities. However, Analytics is not affected by these vulnerabilities.
Although not affected, Analytics has been upgraded in Semarchy xDI 2023.1.0 to use Log4J2 (Log4J version 2) 2.17.1 version.
Runtime
The Runtime does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.
The Runtime uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities that can be easily identified and mitigated.
The Runtime has been upgraded in Semarchy xDI 2023.1.0 to use Log4J2 (Log4J version 2) 2.17.1 version.
Components
The only component shipping Log4J2 (Log4J version 2) is the ElasticSearch component, which is not affected by the CVEs (it is a transitive dependency not exposed to end-users).
Although not affected, the ElasticSearch component has been upgraded in the Component Pack version 3.0.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.
Although not affected, the ElasticSearch component has been upgraded in the Component Pack version 3.0.2 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832
License Server
The License Server product includes solely the API of the Apache Log4J2 library and not the implementations. It is therefore not affected by the vulnerabilities.
Although not affected, the License Server has been upgraded in version 5.3.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.
Although not affected, the License Server has been upgraded in version 5.3.2 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832.
The attached xDI Security Notice provides detailed information.
Do not hesitate to contact our support team if you have additional questions or need further clarifications.
Gaurav Srivastava
The Semarchy engineering team is monitoring - as part of the build & quality processes - Common Vulnerabilities and Exposures (CVEs) that impact libraries or third-party components shipped in the Semarchy/Stambia products.
Multiple vulnerabilities affecting the Log4J2 (Log4J version 2) library, commonly used in applications for logging services, have been reported under the CVE-2021-44228, CVE-2021-45105, CVE-2021-44832, and CVE-2021-45046 references.
Multiple vulnerabilities affecting the Log4J1 (Log4J version 1) library, commonly used in applications for logging services, have been reported under the CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307 references.
To summarize:
The impact for each product is summarized below.
Designer
The Designer does not use Log4J for logging purposes. It is therefore not affected by the reported vulnerabilities.
Analytics
Analytics does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.
Analytics uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities. However, Analytics is not affected by these vulnerabilities.
Although not affected, Analytics has been upgraded in Semarchy xDI 2023.1.0 to use Log4J2 (Log4J version 2) 2.17.1 version.
Runtime
The Runtime does not use Log4J2 (Log4J version 2). It is not affected by the Log4J2 (Log4J version 2) vulnerabilities.
The Runtime uses the previous version of that library, Log4J1 (Log4J Version 1), which has other reported vulnerabilities that can be easily identified and mitigated.
The Runtime has been upgraded in Semarchy xDI 2023.1.0 to use Log4J2 (Log4J version 2) 2.17.1 version.
Components
The only component shipping Log4J2 (Log4J version 2) is the ElasticSearch component, which is not affected by the CVEs (it is a transitive dependency not exposed to end-users).
Although not affected, the ElasticSearch component has been upgraded in the Component Pack version 3.0.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.
Although not affected, the ElasticSearch component has been upgraded in the Component Pack version 3.0.2 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832
License Server
The License Server product includes solely the API of the Apache Log4J2 library and not the implementations. It is therefore not affected by the vulnerabilities.
Although not affected, the License Server has been upgraded in version 5.3.0 to use the Log4J2 (Log4J version 2) 2.16.0 version, which includes the fixes to CVE-2021-44228 and CVE-2021-45046.
Although not affected, the License Server has been upgraded in version 5.3.2 to use the Log4J2 (Log4J version 2) 2.17.1 version, which includes the fix to CVE-2021-45105 and CVE-2021-44832.
The attached xDI Security Notice provides detailed information.
Do not hesitate to contact our support team if you have additional questions or need further clarifications.