topic Re: About Apache Log4j vulnerability in Installation & update

About Apache Log4j vulnerability

Minh Nguyen — Tue, 14 Dec 2021 11:35:29 GMT

Dear All,

Last week, a critical security vulnerability in Java logging library Log4j has been found. The vulnerability allows attackers to perform remote code execution, which means they can run any code and access all data on the affected machine. It is registered in the CVE database as CVE-2021-44228. This vulnerability affected Apache Log4j between 2.x and 2.15.0-rc1 only.

The Log4j library was used in the following Archicad versions:

Log4j 1.2.7 was used by Energy Evaluation Add-On up to Archicad 20
Log4j 1.2.8 was used by Usagelog and Bug Report submitter up to Archicad 19

BIMcloud and CodeMeter components did not use the Log4j library. Therefore, no further action is required from the users.

Even though our products are not affected by the vulnerability, this may not apply to other third-parties addons. Please contact the addons’ developers for further information.

If you have any questions or comments, please let us know. Thank you very much!

Best regards,Minh

Re: About Apache Log4j vulnerability

tjmillar — Thu, 16 Dec 2021 06:09:08 GMT

Hi Minh, thanks for that advice! We are still on AC18, and this news just makes our long intended upgrade all the more urgent! In the meantime, do you have any advice as to how we should protect ourselves against this?

Re: About Apache Log4j vulnerability

Minh Nguyen — Thu, 16 Dec 2021 06:31:22 GMT

Hello,

Thank you very much for the question!

There's no need to worry about this vulnerability. The older Archicad versions used an old Log4j library, whereas the exploit can only work between Log4j version 2.x and 2.15.0-rc1 only. In the scope of this vulnerability, we won't have to take any action on older products.

I hope it answers your question. Please let us know if you still have any concerns about this!

Best regards,

Minh

Re: About Apache Log4j vulnerability

KOA — Mon, 20 Dec 2021 09:16:38 GMT

Hi Minh, thanks for your information!

Please tell me/us, is it possible to replace the Log4j 1.2.7 with a newer not vulnerability one (if yes please provide the correct one) and if not, how is the correct procedure to uninstall the Energy Evaluation Add-On without uninstalling the AC20. Thanks. Greetings!

Re: About Apache Log4j vulnerability

Minh Nguyen — Mon, 20 Dec 2021 11:04:43 GMT

Hello,

Thank you very much for the question!

As I mentioned previously, there's no need to modify anything on older Archicad versions. This specific vulnerability affects Log4j 2.x and 2.15.0-rc1 only, thus, no further action from the users is needed. Older Log4j versions are not affected by this vulnerability.

Thank you very much for your understanding! Feel free to ask if you have any questions!

Best regards,

Minh

Re: About Apache Log4j vulnerability

KUBUS — Fri, 24 Dec 2021 10:24:13 GMT

Hi Minh,
Our IT found some issue regarding AC20 and older since the last update about log4j.jar. Can you confirm that these older versions are still save to use?

Kind regards,
Anne

Re: About Apache Log4j vulnerability

Minh Nguyen — Fri, 31 Dec 2021 15:28:43 GMT

Hi Anne,

Thank you for the question!

There is no action needed from the client-side. The vulnerability affects Log4j 2.x and 2.15.0-rc1 only, meanwhile older Archicad versions might contain Log4j before 2.x, thus they are not affected.

Best regards,

Minh