log4j CVE-2021-44228
You may have heard that there is a critical security vulnerability in the “log4j” Java library that is used by many applications in the Java ecosystem and you might be wondering if this impacts your OpenEdge environment.
Progress Software has released this K-Base article over the weekend https://knowledgebase.progress.com/articles/Article/Is-OpenEdge-vulnerable-to-CVE-2021-44228-Log4j and provides more information on the page https://www.progress.com/security
If you are using any of the products mentioned in those articles, we strongly recommend taking immediate action.
Please note, that in the current version of the K-Base article, the JVM Startup parameter is incorrect. We’ve already reached out to Progress Software support to address this issue. The article mentions to set the parameter with a colon between parameter name and value. The correct syntax to set the startup parameter is however: -Dlog4j2.formatMsgNoLookups=true
Please note, that when copy-and-pasting the parameter from this email or the K-Base article your client may be replacing the hyphen/dash/minus with a long hyphen which will cause errors at runtime.
According to the K-Base article from Progress Software, customers of the SmartComponent Library that are using the classic AppServer and REST Adapter are impacted by the vulnerability.
Customers using PASOE in either OpenEdge 11.7 or OpenEdge 12.x seem to be on the safe side. We have no information about earlier versions of PASOE or OpenEdge in general.
The SmartComponent Library does not use log4j for any of its tooling or other purposes itself.
None the less we encourage everyone to carefully review their Java infrastructure. Many add on components may have incorporated log4j and the vulnerability is being actively exploited. If you have internet facing infrastructure you should act immediately to mitigate the use of log4j by either upgrading to the patched release or by taking the temporary steps described in the articles below.
For more detailed information the following resources are a good start:
· https://www.lunasec.io/docs/blog/log4j-zero-day/
· SonarQube, SonarCloud, and the Log4J vulnerability
· Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet
· https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html
Auf Deutsch (in German)
· Warnstufe Rot: Log4j-Zero-Day-Lücke bedroht Heimanwender und Firmen
· BSI: Bundesbehörde warnt vor Schwachstelle in weitverbreiteter Software