hero-banner

Progress
Security Center

Resources for Security, Privacy, Compliance
and Due Diligence

Apache Log4j Vulnerability - Update December 17th, 2021

Progress is providing the following update regarding the Apache Log4j security vulnerability (CVE-2021-44228). Except for DataDirect Hybrid Data Pipeline and Chef (with respect certain third-party components deployed with Chef products), and the addition of products in the category of Products Not Impacted, the summary below is identical to the December 11th, 2021 update.

In addition, we recommend that customers conduct their own due diligence with respect to any third-party components that you may utilize in your environment and take the appropriate actions recommended by those third parties.

Potentially Impacted Products

OpenEdge: The following OpenEdge components have been identified as susceptible to the Apache Log4j vulnerability -- 11.7.x Classic Rest Adapter, 11.7.x “import-export” Utility and OpenEdge Command Center (OECC) Version 1. As an immediate mitigation, the general recommendation is to configure the Java system property, "log4j2.formatMsgNoLookups" to “true.”
For more details review the following KB article.

DataDirect Hybrid Data Pipeline: We have identified Hybrid Data Pipeline (HDP) as susceptible to the Apache Log4j vulnerability. An immediate mitigation is available in the latest version of HDP and all customers, regardless of version in use, are strongly encouraged to upgrade to the latest build.
For mitigation instructions and more details please review the following KB article. 

Chef: Certain deployments of Chef products contain embedded third-party components which are potentially susceptible to the Apache Log4j vulnerability. For further details refer to the Chef product specific page.

These recommendations are based on our current research but may change over time. Customers are strongly advised to review further mitigation on security sites such as  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).

Products Not Directly Impacted

WhatsUp Gold, Sitefinity, Chef, MOVEit and MOVEit Cloud, WS_FTP, Kemp Loadmaster, Flowmon, Telerik, Kendo UI, Test Studio, Unite UX, NativeChat, Kinvey, Corticon, iMail, iMacros, MessageWay and DataDirect ODBC, JDBC, ADO.NET, OpenAccess, SequeLink and Data Integration Suite: Based on our findings, these products are not susceptible to the Apache Log4j security vulnerability and no further action is required at this time.

As this is an ongoing event, further updates and recommendations will be provided as needed. Please check back regularly for more information.

More product specific information can be found at the following:

Apache Log4j Vulnerability -- Under Investigation -- Dec. 10, 2021

Progress is aware of the recently discovered Log4j security vulnerability (CVE-2021-44228). We are urgently investigating any potential impact to our product portfolio and our systems and will communicate recommended steps to be taken by our customers and partners, as soon as possible.

For general information on the vulnerability, click here.

Message from Progress About Recent Vendor Vulnerabilities -- Dec. 12, 2020

The level of sophistication, volume and speed at which new security vulnerabilities, such as those experienced by Solarwinds and more recently, by Kaseya, continue to increase exponentially. They serve as a stark reminder to the whole industry that proper vulnerability management and patching practices are of critical importance. Our security teams continuously revisit our procedures and protocols in the ordinary course of business and then reevaluate them when new vendor vulnerabilities, such as these, are exposed and as we learn further information. We want to assure our customers that a highly organized security team is in place to address the many aspects of a capable security program, with vulnerability and patch management at the top of our priorities list.

Progress networks, infrastructure, business applications and products are all subject to a rigorous program of scanning, patching and configuration tuning, to ensure security is well maintained. Progress is continuously in close communication with its key vendors about the security of their products and we work hand-in-hand to ensure any vulnerabilities are quickly identified and addressed. Multiple security personnel, across the company, monitor our various environments for vulnerabilities and patching opportunities. Critical patches are applied with great speed.

At Progress, security, and especially vulnerability management, will always remain a top priority. If you have any questions regarding this message or Progress security practices, please contact security@progress.com and we will quickly address those questions or concerns.

Contact information

Privacy

Questions about Progress’ privacy practices and how we handle your personal data

privacy@progress.com

Copyrights

Use of Progress Software copyrighted materials or notice of copyright infringement

copyrights@progress.com

Trademarks

Questions about or requests to use Progress Software trademarks, logos or branding

trademarks@progress.com

General legal

legal@progress.com

Governance

bod@progress.com

Security

Questions about Security, Privacy, Compliance and Due Diligence

security@progress.com

Non-Disclosure Agreement

The document you have requested (the “Document”) is considered Confidential Information (defined below) by Progress Software Corporation, a Delaware corporation, including its direct and indirect affiliates and subsidiaries (“PSC”). Your access to the Document is subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement not as an individual but on behalf of your employer or company, then you acknowledge that you are binding your employer or company to this agreement. The term “Recipient” shall mean whichever party to whom this applies, whether it is you as an individual or your employer or company on whose behalf you are acting.

PSC agrees to allow Recipient to access to the Document on the condition that Recipient reads, understands, and agrees to all of the following:

By clicking on the “I ACCEPT” button below, Recipient agrees to be bound by these terms and conditions. Such acceptance and agreement shall be deemed to be as effective as a written signature by you, either on behalf of yourself or the Recipient, and this agreement shall be deemed to satisfy any writings requirements of any applicable law, notwithstanding that the agreement is written and accepted electronically. Distribution or disclosure of any portion of the Document or any information or advice contained therein to persons other than PSC is prohibited, except as provided below.

Recipient may use Document only for the purpose of evaluating PSC’s operations for compliance with Recipient’s security, regulatory and other business policies (the “Purpose”). This agreement does not create or imply an agreement to complete any transaction or an assignment by PSC of any rights in its intellectual property.

Recipient has requested that Company provide Recipient a copy of the Document for reasons relating to the Purpose. The Recipient agrees that the Document contains Confidential Information. “Confidential Information” shall mean the Document and other information and materials that are (i) disclosed by PSC in writing and marked as confidential at the time of disclosure, or (ii) disclosed by PSC in any other manner and identified as confidential at the time of disclosure and within thirty (30) days of disclosure, or (iii) reasonably regarded as being of a confidential nature.

Recipient agrees that the Document shall be held in confidence by Recipient and used only for the Purpose. In maintaining confidentiality hereunder, Recipient agrees it shall not, without first obtaining the written consent of PSC, disclose or make available to any person, firm or enterprise, reproduce or transmit, or use (directly or indirectly) for its own benefit or the benefit of others, the Document. The Recipient may only disclose the Document to those who need to know such information in connection with the Purpose. Recipient shall protect the Document by using the same degree of care, but no less than a reasonable degree of care, to prevent the unauthorized use, dissemination, or publication of the Document as Recipient uses to protect its own confidential information of a like nature.

PSC reserves all rights and benefits afforded under U.S., and international copyright, patent, trade secret, trademarks or service marks and all other intellectual property rights in the Document. By gaining access to the Document, Recipient does not acquire any intellectual property rights to it, except the limited right to use the Document for the Purpose in accordance with this agreement. PSC assumes no duty or liability to the Recipient in connection with the provision of the Document. Recipient may not rely on the Document for any reason.

Recipient recognizes that irreparable injury may result in the event of a breach of its obligations contained in this agreement and that PSC would have no adequate remedy in money or damages. Recipient agrees that, in the event of such a breach or threat of such a breach, PSC shall be entitled, in addition to any other appropriate equitable remedies and damages available, to seek an injunction to restrain the violations thereof by Recipient and all persons acting for and/or with Recipient, plus recovery of attorneys’ fees and court costs and without posting a bond.

The Recipient (for itself and its successors and assigns) hereby releases PSC from any and all claims or causes of action that Recipient has, or hereafter may or shall have, against PSC in connection with the Document or Recipient’s access to the Document. Recipient shall indemnify, defend and hold harmless PSC from and against all claims, liabilities, losses and expenses suffered or incurred arising out of or in connection with (a) any breach of this agreement by Recipient or its representatives; and/or (b) any use or reliance on the Document or other Confidential Information by any party that obtains access to the Document, directly or indirectly, from or through the Recipient or at its request.

Upon termination of this agreement or written request by PSC, the Recipient shall: (i) cease using the Document, (ii) return or destroy the Document and all copies, notes or extracts thereof to PSC within seven (7) business days of receipt of request, and (iii) upon PSC’s written request, confirm in writing that Recipient has complied with these obligations.

This agreement shall be governed by, and construed in accordance with, the laws of the Commonwelath of Massachusetts applicable to agreements made and fully to be performed therein by residents thereof. This agreement can be enforced by PSC or any of its affiliates or subsidiaries, individually or collectively.

By entering your email Recipient agrees to be bound to the terms of this Agreement. If you are entering into this agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.

NDA Agree