Progress is providing the following update regarding the Apache Log4j security vulnerability (CVE-2021-44228). Except for DataDirect Hybrid Data Pipeline and Chef (with respect certain third-party components deployed with Chef products), and the addition of products in the category of Products Not Impacted, the summary below is identical to the December 11th, 2021 update.
In addition, we recommend that customers conduct their own due diligence with respect to any third-party components that you may utilize in your environment and take the appropriate actions recommended by those third parties.
OpenEdge: The following OpenEdge components have been identified as susceptible to the Apache Log4j vulnerability -- 11.7.x Classic Rest Adapter, 11.7.x “import-export” Utility and OpenEdge Command Center (OECC) Version 1. As an immediate mitigation, the general recommendation is to configure the Java system property, "log4j2.formatMsgNoLookups" to “true.”
For more details review the following KB article.
DataDirect Hybrid Data Pipeline: We have identified Hybrid Data Pipeline (HDP) as susceptible to the Apache Log4j vulnerability. An immediate mitigation is available in the latest version of HDP and all customers, regardless of version in use, are strongly encouraged to upgrade to the latest build.
For mitigation instructions and more details please review the following KB article.
Chef: Certain deployments of Chef products contain embedded third-party components which are potentially susceptible to the Apache Log4j vulnerability. For further details refer to the Chef product specific page.
These recommendations are based on our current research but may change over time. Customers are strongly advised to review further mitigation on security sites such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
WhatsUp Gold, Sitefinity, Chef, MOVEit and MOVEit Cloud, WS_FTP, Kemp Loadmaster, Flowmon, Telerik, Kendo UI, Test Studio, Unite UX, NativeChat, Kinvey, Corticon, iMacros and DataDirect ODBC, JDBC, ADO.NET, OpenAccess, SequeLink and Data Integration Suite: Based on our findings, these products are not susceptible to the Apache Log4j security vulnerability and no further action is required at this time.
As this is an ongoing event, further updates and recommendations will be provided as needed. Please check back regularly for more information.
More product specific information can be found at the following:
Progress is aware of the recently discovered Log4j security vulnerability (CVE-2021-44228). We are urgently investigating any potential impact to our product portfolio and our systems and will communicate recommended steps to be taken by our customers and partners, as soon as possible.
For general information on this specific vulnerability, click here.
At Progress, security, and especially vulnerability management, will always remain a top priority. If you have any questions regarding this message or Progress security practices, please contact firstname.lastname@example.org and we will quickly address those questions or concerns.
Questions about Progress’ privacy practices and how we handle your personal email@example.com
Use of Progress Software copyrighted materials or notice of copyright firstname.lastname@example.org
Questions about or requests to use Progress Software trademarks, logos or email@example.com
Questions about Security, Privacy, Compliance and Due Diligencesecurity@progress.com