| Author |
 Topic  |
|
|
TableauBen
New Member
USA
6 Posts |
 Posted - Feb 04 2022 : 5:33:40 PM
|
Hello all,
We use a Visual Assist license server, and our security scanning software has flagged it as being vulnerable to the recent log4j exploit:
PluginOutput:
Path : C:\Program Files\Embarcadero\ELC5.33\LicenseCenter\lib\log4j-1.2.15.jar
Installed version : 1.2.15
Path : C:\Program Files\Embarcadero\ELC5.33\ReportingEngine\lib\log4j-1.2.15.jar
Installed version : 1.2.15
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
I've emailed [email protected] for guidance, but I haven't received a response. Does anyone know if there is a more recent version of license server software with the patched version of log4j?
Thanks,
Ben |
|
|
ChrisG
Whole Tomato Software
USA
299 Posts |
Posted - Feb 04 2022 : 7:57:08 PM
|
Hello Ben,
I'm sorry you didn't receive a response from support. I emailed you back, but it could have gone to spam.
I checked with the licensing server team. Here is their response.
"Log4J version 1.2.15 used by license server ELC and reporting engine ERE has not been compromised and does not pose security risk. There is a specific case that is problematic if a specific Log4J functionality is used. Neither ELC nor ERE use that functionality."
If we have any further updates, I will be sure to post them here. |
 |
|
|
TableauBen
New Member
USA
6 Posts |
Posted - Feb 17 2022 : 1:08:19 PM
|
Hi Chris,
Thank you for the response. Unfortunately, even with this assurance, we cannot continue to run a server with a known vulnerability. Do you have a time frame for when you will have a patch for the issue? Alternatively, what other options do we have to administer our licenses? |
|
|
|
TableauBen
New Member
USA
6 Posts |
Posted - Nov 29 2022 : 4:28:29 PM
|
| Hi Chris, do you know if you've released an update to the server that uses a version of log4j that has addressed the security issue from last year? |
|
|
|
ChrisG
Whole Tomato Software
USA
299 Posts |
Posted - Nov 29 2022 : 5:55:32 PM
|
| We have. I should have noted that in this thread, and I apologize for not. |
|
|
|
TableauBen
New Member
USA
6 Posts |
Posted - Nov 29 2022 : 6:25:11 PM
|
| No worries! How do I go about getting the updated version? |
|
|
|
feline
Whole Tomato Software
United Kingdom
18750 Posts |
|
|
TableauBen
New Member
USA
6 Posts |
Posted - Dec 09 2022 : 2:50:07 PM
|
Thanks for the link.
I'm upgrading from v5.33 to the latest 5.36. Do I need to uninstall the prior version first? Will my existing settings (license and named users) be migrated? |
|
|
|
ChrisG
Whole Tomato Software
USA
299 Posts |
Posted - Dec 09 2022 : 3:02:33 PM
|
| As the license server is maintained by another team, it would be best to direct that question to [email protected]. |
|
|
|
TableauBen
New Member
USA
6 Posts |
Posted - Dec 09 2022 : 3:03:36 PM
|
It seemed to offer the option to migrate settings from 5.33.
Unfortunately, even the latest version continues to use log4j 1.12.15, which was end-of-lifed back in 2015 and has numerous, unpatched security vulnerabilities: https://logging.apache.org/log4j/1.2/
Is there a timeline for a license server that uses a current version of log4j? |
|
|
|
ChrisG
Whole Tomato Software
USA
299 Posts |
Posted - Dec 09 2022 : 3:09:51 PM
|
> Is there a timeline for a license server that uses a current version of log4j?
Not that I am aware of. I have directed your concern to the team responsible for the license server. |
|
|
|
ChrisG
Whole Tomato Software
USA
299 Posts |
|
| |
Topic |
|
log4j vulnerability in VAssist license server
