2021-12-14 12:35 PM
Dear All,
Last week, a critical security vulnerability in Java logging library Log4j has been found. The vulnerability allows attackers to perform remote code execution, which means they can run any code and access all data on the affected machine. It is registered in the CVE database as CVE-2021-44228. This vulnerability affected Apache Log4j between 2.x and 2.15.0-rc1 only.
The Log4j library was used in the following Archicad versions:
BIMcloud and CodeMeter components did not use the Log4j library. Therefore, no further action is required from the users.
Even though our products are not affected by the vulnerability, this may not apply to other third-parties addons. Please contact the addons’ developers for further information.
If you have any questions or comments, please let us know. Thank you very much!
Best regards,
Minh
Minh Nguyen
Technical Support Engineer
GRAPHISOFT
2021-12-16 07:09 AM
Hi Minh, thanks for that advice! We are still on AC18, and this news just makes our long intended upgrade all the more urgent! In the meantime, do you have any advice as to how we should protect ourselves against this?
2021-12-16 07:31 AM
Hello,
Thank you very much for the question!
There's no need to worry about this vulnerability. The older Archicad versions used an old Log4j library, whereas the exploit can only work between Log4j version 2.x and 2.15.0-rc1 only. In the scope of this vulnerability, we won't have to take any action on older products.
I hope it answers your question. Please let us know if you still have any concerns about this!
Best regards,
Minh
Minh Nguyen
Technical Support Engineer
GRAPHISOFT
2021-12-20 09:51 AM - edited 2021-12-20 10:16 AM
Hi Minh, thanks for your information!
Please tell me/us, is it possible to replace the Log4j 1.2.7 with a newer not vulnerability one (if yes please provide the correct one) and if not, how is the correct procedure to uninstall the Energy Evaluation Add-On without uninstalling the AC20. Thanks. Greetings!
2021-12-20 12:04 PM
Hello,
Thank you very much for the question!
As I mentioned previously, there's no need to modify anything on older Archicad versions. This specific vulnerability affects Log4j 2.x and 2.15.0-rc1 only, thus, no further action from the users is needed. Older Log4j versions are not affected by this vulnerability.
Thank you very much for your understanding! Feel free to ask if you have any questions!
Best regards,
Minh
Minh Nguyen
Technical Support Engineer
GRAPHISOFT
2021-12-24 11:23 AM - edited 2021-12-24 11:24 AM
Hi Minh,
Our IT found some issue regarding AC20 and older since the last update about log4j.jar. Can you confirm that these older versions are still save to use?
Kind regards,
Anne
2021-12-31 04:28 PM - edited 2021-12-31 04:28 PM
Hi Anne,
Thank you for the question!
There is no action needed from the client-side. The vulnerability affects Log4j 2.x and 2.15.0-rc1 only, meanwhile older Archicad versions might contain Log4j before 2.x, thus they are not affected.
Best regards,
Minh
Minh Nguyen
Technical Support Engineer
GRAPHISOFT