About Apache Log4j vulnerability

Minh Nguyen · ‎2021-12-14

Dear All,

Last week, a critical security vulnerability in Java logging library Log4j has been found. The vulnerability allows attackers to perform remote code execution, which means they can run any code and access all data on the affected machine. It is registered in the CVE database as CVE-2021-44228. This vulnerability affected Apache Log4j between 2.x and 2.15.0-rc1 only.

The Log4j library was used in the following Archicad versions:

Log4j 1.2.7 was used by Energy Evaluation Add-On up to Archicad 20
Log4j 1.2.8 was used by Usagelog and Bug Report submitter up to Archicad 19

BIMcloud and CodeMeter components did not use the Log4j library. Therefore, no further action is required from the users.

Even though our products are not affected by the vulnerability, this may not apply to other third-parties addons. Please contact the addons’ developers for further information.

If you have any questions or comments, please let us know. Thank you very much!

Best regards,Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

tjmillar · ‎2021-12-16

Hi Minh, thanks for that advice! We are still on AC18, and this news just makes our long intended upgrade all the more urgent! In the meantime, do you have any advice as to how we should protect ourselves against this?

AC26 Australia, Windows 10

Minh Nguyen · ‎2021-12-16

Hello,

Thank you very much for the question!

There's no need to worry about this vulnerability. The older Archicad versions used an old Log4j library, whereas the exploit can only work between Log4j version 2.x and 2.15.0-rc1 only. In the scope of this vulnerability, we won't have to take any action on older products.

I hope it answers your question. Please let us know if you still have any concerns about this!

Best regards,

Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

KOA · ‎2021-12-20

Hi Minh, thanks for your information!

Please tell me/us, is it possible to replace the Log4j 1.2.7 with a newer not vulnerability one (if yes please provide the correct one) and if not, how is the correct procedure to uninstall the Energy Evaluation Add-On without uninstalling the AC20. Thanks. Greetings!

Minh Nguyen · ‎2021-12-20

Hello,

Thank you very much for the question!

As I mentioned previously, there's no need to modify anything on older Archicad versions. This specific vulnerability affects Log4j 2.x and 2.15.0-rc1 only, thus, no further action from the users is needed. Older Log4j versions are not affected by this vulnerability.

Thank you very much for your understanding! Feel free to ask if you have any questions!

Best regards,

Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

KUBUS · ‎2021-12-24

Hi Minh,
Our IT found some issue regarding AC20 and older since the last update about log4j.jar. Can you confirm that these older versions are still save to use?

Kind regards,
Anne

Minh Nguyen · ‎2021-12-31

Hi Anne,

Thank you for the question!

There is no action needed from the client-side. The vulnerability affects Log4j 2.x and 2.15.0-rc1 only, meanwhile older Archicad versions might contain Log4j before 2.x, thus they are not affected.

Best regards,

Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

Find the next step in your career as a Graphisoft Certified BIM Coordinator!

About Apache Log4j vulnerability

Still looking?

Browse more topics

See latest solutions

Start a new discussion!