Apache Log4j Security Vulnerability

Progress is providing the following update regarding the Apache Log4j security vulnerability (CVE-2021-44228). Except for DataDirect Hybrid Data Pipeline and Chef (with respect certain third-party components deployed with Chef products), and the addition of products in the category of Products Not Impacted, the summary below is identical to the December 11th, 2021 update.

In addition, we recommend that customers conduct their own due diligence with respect to any third-party components that you may utilize in your environment and take the appropriate actions recommended by those third parties.

POTENTIALLY IMPACTED PRODUCTS

OpenEdge: The following OpenEdge components have been identified as susceptible to the Apache Log4j vulnerability -- 11.7.x Classic Rest Adapter, 11.7.x “import-export” Utility and OpenEdge Command Center (OECC) Version 1. As an immediate mitigation, the general recommendation is to configure the Java system property, "log4j2.formatMsgNoLookups" to “true.”
For more details review the following KB article.

DataDirect Hybrid Data Pipeline: We have identified Hybrid Data Pipeline (HDP) as susceptible to the Apache Log4j vulnerability. An immediate mitigation is available in the latest version of HDP and all customers, regardless of version in use, are strongly encouraged to upgrade to the latest build.
For mitigation instructions and more details please review the following KB article. 

Chef: Certain deployments of Chef products contain embedded third-party components which are potentially susceptible to the Apache Log4j vulnerability. For further details refer to the Chef product specific page.

These recommendations are based on our current research but may change over time. Customers are strongly advised to review further mitigation on security sites such as  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).

PRODUCTS NOT DIRECTLY IMPACTED

WhatsUp Gold, Sitefinity, Chef, MOVEit and MOVEit Cloud, WS_FTP, Kemp Loadmaster, Flowmon, Telerik, Kendo UI, Test Studio, Unite UX, NativeChat, Kinvey, Corticon and DataDirect ODBC, JDBC, ADO.NET, OpenAccess, SequeLink and Data Integration Suite: Based on our findings, these products are not susceptible to the Apache Log4j security vulnerability and no further action is required at this time.

As this is an ongoing event, further updates and recommendations will be provided as needed. Please check back regularly for more information.

More product specific information can be found at the following:

• Chef 
• Corticon
• Loadmaster
• MOVEit
• Sitefinity
• WhatsUp Gold
• WS_FTP

Progress is aware of the recently discovered Log4j security vulnerability (CVE-2021-44228). We are urgently investigating any potential impact to our product portfolio and our systems and will communicate recommended steps to be taken by our customers and partners, as soon as possible.

For general information on this specific vulnerability, click here.

At Progress, security, and especially vulnerability management, will always remain a top priority. If you have any questions regarding this message or Progress security practices, please contact security@progress.com and we will quickly address those questions or concerns.