Article - CS358965
Security issue regarding Log4j file in Creo Elements/Direct Model Manager
Modified: 22-Dec-2021
Applies To
- Creo Elements/Direct Model Manager / Drawing Manager 20.2 to 20.4
Description
- Critical zero-day vulnerability has been reported in the 3rd party library Apache log4j:
- Log4j 2 – CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Log4j 2 – CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- Log4j 2 – CVE-2021-45105 https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- Please refer to this Apache article for more details on CVE-2021-44228 and CVE-2021-45046 :https://logging.apache.org/log4j/2.x/security.html
- Log4j 1 – CVE-2021-4041 https://nvd.nist.gov/vuln/detail/CVE-2021-4104
- Log4j 1 – CVE-2021-17571 https://nvd.nist.gov/vuln/detail/CVE-2019-17571
- Please refer to this Red Hat article for more details on CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2021-4104
- Vulnerable Apache log4j versions: all versions from 2.0-beta9 to 2.15.0, and 1.2.17
- Model Manager doesn’t make any direct calls to JndiLookup, which has been identified as the vulnerable class
This is a printer-friendly version of Article 358965 and may be out of date. For the latest version click CS358965