| T O P I C R E V I E W |
| TableauBen |
Posted - Feb 04 2022 : 5:33:40 PM
Hello all,
We use a Visual Assist license server, and our security scanning software has flagged it as being vulnerable to the recent log4j exploit:
PluginOutput:
Path : C:\Program Files\Embarcadero\ELC5.33\LicenseCenter\lib\log4j-1.2.15.jar
Installed version : 1.2.15
Path : C:\Program Files\Embarcadero\ELC5.33\ReportingEngine\lib\log4j-1.2.15.jar
Installed version : 1.2.15
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
I've emailed [email protected] for guidance, but I haven't received a response. Does anyone know if there is a more recent version of license server software with the patched version of log4j?
Thanks,
Ben |
| 11 L A T E S T R E P L I E S (Newest First) |
| ChrisG |
Posted - Dec 12 2022 : 5:23:53 PM
I spoke with the ELC team, and they had some good news.
"ELC version 5.41 uses Log4J 2.17.2"
So, the issue is 5.36 wasn't the latest version. You can download the latest version here:
https://docwiki.embarcadero.com/ELC/54/en/ELC_Quick_Start |
| ChrisG |
Posted - Dec 09 2022 : 3:09:51 PM
> Is there a timeline for a license server that uses a current version of log4j?
Not that I am aware of. I have directed your concern to the team responsible for the license server. |
| TableauBen |
Posted - Dec 09 2022 : 3:03:36 PM
It seemed to offer the option to migrate settings from 5.33.
Unfortunately, even the latest version continues to use log4j 1.12.15, which was end-of-lifed back in 2015 and has numerous, unpatched security vulnerabilities: https://logging.apache.org/log4j/1.2/
Is there a timeline for a license server that uses a current version of log4j? |
| ChrisG |
Posted - Dec 09 2022 : 3:02:33 PM
As the license server is maintained by another team, it would be best to direct that question to [email protected]. |
| TableauBen |
Posted - Dec 09 2022 : 2:50:07 PM
Thanks for the link.
I'm upgrading from v5.33 to the latest 5.36. Do I need to uninstall the prior version first? Will my existing settings (license and named users) be migrated? |
| feline |
Posted - Dec 06 2022 : 10:27:56 AM
You can download the latest version of the license server from here:
https://docwiki.embarcadero.com/ELC/53/en/ELC_Quick_Start |
| TableauBen |
Posted - Nov 29 2022 : 6:25:11 PM
No worries! How do I go about getting the updated version? |
| ChrisG |
Posted - Nov 29 2022 : 5:55:32 PM
We have. I should have noted that in this thread, and I apologize for not. |
| TableauBen |
Posted - Nov 29 2022 : 4:28:29 PM
Hi Chris, do you know if you've released an update to the server that uses a version of log4j that has addressed the security issue from last year? |
| TableauBen |
Posted - Feb 17 2022 : 1:08:19 PM
Hi Chris,
Thank you for the response. Unfortunately, even with this assurance, we cannot continue to run a server with a known vulnerability. Do you have a time frame for when you will have a patch for the issue? Alternatively, what other options do we have to administer our licenses? |
| ChrisG |
Posted - Feb 04 2022 : 7:57:08 PM
Hello Ben,
I'm sorry you didn't receive a response from support. I emailed you back, but it could have gone to spam.
I checked with the licensing server team. Here is their response.
"Log4J version 1.2.15 used by license server ELC and reporting engine ERE has not been compromised and does not pose security risk. There is a specific case that is problematic if a specific Log4J functionality is used. Neither ELC nor ERE use that functionality."
If we have any further updates, I will be sure to post them here. |
