Apache log4j vulnerability

last update: Dec 27th

ESI Group response to the Log4j vulnerability CVE-2021-44228

Since Friday December 10th ESI is investigating the impact of the log4j vulnerability, known as Log4Shell referenced in CVE-2021-44228.

We at ESI are committed to the security of our products in our customers IT Environment. Below you will find more information on our efforts to mitigate possible impact.

A critical vulnerability in Apache Log4j impacting versions from 2.0-beta9 through 2.12.1 and 2.14.0 through 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.
The table below provides currently available information about the potential impact of this vulnerability on ESI Group products.

 

Solutions Products Exposure to CVE-2021-44228 Fixed version Mitigation
Casting ProCAST / QuikCAST No (1) N/A N/A
Composites PAM-COMPOSITES No (1) N/A N/A
Computational Fluid Dynamics ACE+ No N/A N/A
Interior Solution N/A No (1) N/A N/A
Sheet Metal Forming PAM-STAMP No (1) N/A N/A
System Simulation SimulationX No N/A N/A
Vibro Acoustics VAOne No N/A N/A
Virtual Performance Solution VPS No (1) N/A N/A
Virtual Reality IC.IDO No N/A N/A
Virtual Seat Solution N/A No (1) N/A N/A
Welding & Assembly SYSWELD No (1) N/A N/A
Multiphysics SYSTUS No (1) N/A N/A
VDSS Server N/A Yes (2) Available Patch

(1) The Visual Environment user interface uses JAVA for APIHelp server which uses log4j api v1.2 not log4j-core. It is therefore not affected by the reported vulnerability.
(2) VDSS Server patch is available and has been applied/distributed to all the customers. VDSS cloud instance updated to Log4j 2.16 and fix available and distributed for on premise VDSS installations.        

FlexNet Publisher libraries embedded in ESI’s product are not affected by the reported vulnerability. For customers using the FlexNet Manager product, please refer to the Flexera community page for proposed security mitigation (Flexera’s response to Apache Log4j remote code execution vulnerability CVE-2021-4104, CVE-2021-45046... - Community).
                
We will continue to investigate our possible exposure to this vulnerability and provide further updates if any new risk is identified in our products.