Apache Log4j Vulnerability - Update December 17th, 2021
Progress is providing the following update regarding the Apache Log4j security vulnerability (CVE-2021-44228). Except for DataDirect Hybrid Data Pipeline and Chef (with respect certain third-party components deployed with Chef products), and the addition of products in the category of Products Not Impacted, the summary below is identical to the December 11th, 2021 update.
In addition, we recommend that customers conduct their own due diligence with respect to any third-party components that you may utilize in your environment and take the appropriate actions recommended by those third parties.
Potentially Impacted Products
OpenEdge: The following OpenEdge components have been identified as susceptible to the Apache Log4j vulnerability -- 11.7.x Classic Rest Adapter, 11.7.x “import-export” Utility and OpenEdge Command Center (OECC) Version 1. As an immediate mitigation, the general recommendation is to configure the Java system property, "log4j2.formatMsgNoLookups" to “true.”
For more details review the following KB article.
DataDirect Hybrid Data Pipeline: We have identified Hybrid Data Pipeline (HDP) as susceptible to the Apache Log4j vulnerability. An immediate mitigation is available in the latest version of HDP and all customers, regardless of version in use, are strongly encouraged to upgrade to the latest build.
For mitigation instructions and more details please review the following KB article.
Chef: Certain deployments of Chef products contain embedded third-party components which are potentially susceptible to the Apache Log4j vulnerability. For further details refer to the Chef product specific page.
These recommendations are based on our current research but may change over time. Customers are strongly advised to review further mitigation on security sites such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
Products Not Directly Impacted
WhatsUp Gold, Sitefinity, Chef, MOVEit and MOVEit Cloud, WS_FTP, Kemp Loadmaster, Flowmon, Telerik, Kendo UI, Test Studio, Unite UX, NativeChat, Kinvey, Corticon, iMail, iMacros, MessageWay and DataDirect ODBC, JDBC, ADO.NET, OpenAccess, SequeLink and Data Integration Suite: Based on our findings, these products are not susceptible to the Apache Log4j security vulnerability and no further action is required at this time.
As this is an ongoing event, further updates and recommendations will be provided as needed. Please check back regularly for more information.
More product specific information can be found at the following:
Apache Log4j Vulnerability -- Under Investigation -- Dec. 10, 2021
Progress is aware of the recently discovered Log4j security vulnerability (CVE-2021-44228). We are urgently investigating any potential impact to our product portfolio and our systems and will communicate recommended steps to be taken by our customers and partners, as soon as possible.
For general information on the vulnerability, click here.
Message from Progress About Recent Vendor Vulnerabilities -- Dec. 12, 2020
The level of sophistication, volume and speed at which new security vulnerabilities, such as those experienced by Solarwinds and more recently, by Kaseya, continue to increase exponentially. They serve as a stark reminder to the whole industry that proper vulnerability management and patching practices are of critical importance. Our security teams continuously revisit our procedures and protocols in the ordinary course of business and then reevaluate them when new vendor vulnerabilities, such as these, are exposed and as we learn further information. We want to assure our customers that a highly organized security team is in place to address the many aspects of a capable security program, with vulnerability and patch management at the top of our priorities list.
Progress networks, infrastructure, business applications and products are all subject to a rigorous program of scanning, patching and configuration tuning, to ensure security is well maintained. Progress is continuously in close communication with its key vendors about the security of their products and we work hand-in-hand to ensure any vulnerabilities are quickly identified and addressed. Multiple security personnel, across the company, monitor our various environments for vulnerabilities and patching opportunities. Critical patches are applied with great speed.
At Progress, security, and especially vulnerability management, will always remain a top priority. If you have any questions regarding this message or Progress security practices, please contact email@example.com and we will quickly address those questions or concerns.