Installation & update
About program installation and update, hardware, operating systems, setup, etc.

About Apache Log4j vulnerability

Minh Nguyen
Graphisoft Alumni
Graphisoft Alumni

Dear All,

 

Last week, a critical security vulnerability in Java logging library Log4j has been found. The vulnerability allows attackers to perform remote code execution, which means they can run any code and access all data on the affected machine. It is registered in the CVE database as CVE-2021-44228. This vulnerability affected Apache Log4j between 2.x and 2.15.0-rc1 only.

 

The Log4j library was used in the following Archicad versions:

  • Log4j 1.2.7 was used by Energy Evaluation Add-On up to Archicad 20
  • Log4j 1.2.8 was used by Usagelog and Bug Report submitter up to Archicad 19

BIMcloud and CodeMeter components did not use the Log4j library. Therefore, no further action is required from the users.

 

Even though our products are not affected by the vulnerability, this may not apply to other third-parties addons. Please contact the addons’ developers for further information.

 

If you have any questions or comments, please let us know. Thank you very much!

Best regards,Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

6 REPLIES 6
tjmillar
Enthusiast

Hi Minh, thanks for that advice! We are still on AC18, and this news just makes our long intended upgrade all the more urgent! In the meantime, do you have any advice as to how we should protect ourselves against this?

AC26 Australia, Windows 10

Hello,

 

Thank you very much for the question!

 

There's no need to worry about this vulnerability. The older Archicad versions used an old Log4j library, whereas the exploit can only work between Log4j version 2.x and 2.15.0-rc1 only. In the scope of this vulnerability, we won't have to take any action on older products.

 

I hope it answers your question. Please let us know if you still have any concerns about this!

Best regards,

Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

KOA
Newcomer

Hi Minh, thanks for your information!

Please tell me/us, is it possible to replace the Log4j 1.2.7 with a newer not vulnerability one (if yes please provide the correct one) and if not, how is the correct procedure to uninstall the Energy Evaluation Add-On without uninstalling the AC20. Thanks. Greetings!

Minh Nguyen
Graphisoft Alumni
Graphisoft Alumni

Hello,

 

Thank you very much for the question!

As I mentioned previously, there's no need to modify anything on older Archicad versions. This specific vulnerability affects Log4j 2.x and 2.15.0-rc1 onlythus, no further action from the users is needed. Older Log4j versions are not affected by this vulnerability.

 

Thank you very much for your understanding! Feel free to ask if you have any questions!

 

Best regards,

Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

KUBUS
Graphisoft Partner
Graphisoft Partner

Hi Minh,
Our IT found some issue regarding AC20 and older since the last update about log4j.jar. Can you confirm that these older versions are still save to use?

 

Kind regards, 
Anne

Minh Nguyen
Graphisoft Alumni
Graphisoft Alumni

Hi Anne,

 

Thank you for the question!

 

There is no action needed from the client-side. The vulnerability affects Log4j 2.x and 2.15.0-rc1 only, meanwhile older Archicad versions might contain Log4j before 2.x, thus they are not affected.

 

Best regards,

Minh

Minh Nguyen
Technical Support Engineer
GRAPHISOFT

Still looking?

Browse more topics

Back to forum

See latest solutions

Accepted solutions

Start a new discussion!