Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (4)

Resolved Apache Log4j Security Vulnerabilities

  1. How-to
2
Votes
Undo
  1. Cheryl Foster
    Cheryl Foster
  2. PowerBuilder
  3. Monday, 13 December 2021 14:52 PM UTC

 

We have found that log4j files are used by PowerBuilder 2017 and PowerBuilder 2019 R1 and R2.

https://logging.apache.org/log4j/2.x/security.html

Please can you advise whether this component is used for classic client server applications and also what action we need to take to upgrade the version for the IDE to avoid the security risks.

how to converting string (Hexadecimal) to base64 ?...
Can PowerBuilder based application get impacted by...
Responses (4)
Miguel Leeuwe
Miguel Leeuwe Accepted Answer Pending Moderation
  1. Thursday, 16 December 2021 13:44 PM UTC
  2. PowerBuilder
  3. # 1

If anyone is looking for a scanning tool, I found this one very useful:

https://github.com/mergebase/log4j-detector

regards

Comment
There are no comments made yet.
Chris Pollach @Appeon
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 14 December 2021 14:05 PM UTC
  2. PowerBuilder
  3. # 2

Hi Cheryl et Al;

  Please address this security vulnerability as attached.

Regards ... Chris

Attachments (1)
Appeon Security Bulletin- CVE-2021-44228.pdf
Comment
There are no comments made yet.
Arnd Schmidt
Arnd Schmidt Accepted Answer Pending Moderation
  1. Tuesday, 14 December 2021 00:24 AM UTC
  2. PowerBuilder
  3. # 3

Afaik PowerBuilder ships log4j Version 1.x.

So you have no problem with the new log4j 2 vulnerability.

But: The old jre (1.6.X) and the log4j 1 has (other) vulnerabilities too.

https://logging.apache.org/log4j/1.2/

https://www.cvedetails.com/cve/CVE-2019-17571/

hth

Arnd

Comment
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Tuesday, 14 December 2021 02:08 AM UTC
This made me smile :)
  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Monday, 13 December 2021 18:28 PM UTC
  2. PowerBuilder
  3. # 4

Hi Cheryl,

EAServer and other Java features of PowerBuilder were discontinued long ago.  My guess is Log4j is just something left over, but I don't see how that would be used by your PB apps because no matter you do traditional client/server or cloud projects PowerBuilder is not using Java.  Traditional client/server uses C/C++ and cloud projects use C#/.NET Core.  At any rate, I suggest you open a support ticket so we can carefully investigate and properly track this issue.

Best regards,
Armeen

Comment
Redentor Cruz
  1. Redentor Cruz
  2. Monday, 13 December 2021 22:18 PM UTC
Thanks for openning this discussion, @Cheryl. I'll be following this thread closely as well. Thanks, Red
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.