Apache log4j vulnerability
last update: Dec 27th
ESI Group response to the Log4j vulnerability CVE-2021-44228
Since Friday December 10th ESI is investigating the impact of the log4j vulnerability, known as Log4Shell referenced in CVE-2021-44228.
We at ESI are committed to the security of our products in our customers IT Environment. Below you will find more information on our efforts to mitigate possible impact.
A critical vulnerability in Apache Log4j impacting versions from 2.0-beta9 through 2.12.1 and 2.14.0 through 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.
The table below provides currently available information about the potential impact of this vulnerability on ESI Group products.
| Solutions | Products | Exposure to CVE-2021-44228 | Fixed version | Mitigation |
|---|---|---|---|---|
| Casting | ProCAST / QuikCAST | No (1) | N/A | N/A |
| Composites | PAM-COMPOSITES | No (1) | N/A | N/A |
| Computational Fluid Dynamics | ACE+ | No | N/A | N/A |
| Interior Solution | N/A | No (1) | N/A | N/A |
| Sheet Metal Forming | PAM-STAMP | No (1) | N/A | N/A |
| System Simulation | SimulationX | No | N/A | N/A |
| Vibro Acoustics | VAOne | No | N/A | N/A |
| Virtual Performance Solution | VPS | No (1) | N/A | N/A |
| Virtual Reality | IC.IDO | No | N/A | N/A |
| Virtual Seat Solution | N/A | No (1) | N/A | N/A |
| Welding & Assembly | SYSWELD | No (1) | N/A | N/A |
| Multiphysics | SYSTUS | No (1) | N/A | N/A |
| VDSS Server | N/A | Yes (2) | Available | Patch |
(1) The Visual Environment user interface uses JAVA for APIHelp server which uses log4j api v1.2 not log4j-core. It is therefore not affected by the reported vulnerability.
(2) VDSS Server patch is available and has been applied/distributed to all the customers. VDSS cloud instance updated to Log4j 2.16 and fix available and distributed for on premise VDSS installations.
FlexNet Publisher libraries embedded in ESI’s product are not affected by the reported vulnerability. For customers using the FlexNet Manager product, please refer to the Flexera community page for proposed security mitigation (Flexera’s response to Apache Log4j remote code execution vulnerability CVE-2021-4104, CVE-2021-45046... - Community).
We will continue to investigate our possible exposure to this vulnerability and provide further updates if any new risk is identified in our products.