• You are here:  
  • Home
  • Q&A
  • Q&A
  • PowerBuilder
  • Can PowerBuilder based application get impacted by log4j2 Java package?

Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (4)

Resolved Can PowerBuilder based application get impacted by log4j2 Java package?

  1. Advice
0
Votes
Undo
  1. Vipin Dwivedi
    Vipin Dwivedi
  2. PowerBuilder
  3. Friday, 10 December 2021 23:01 PM UTC

Hello Appeon Technical team,

Does PowerBuilder use log4j2 java based package in PowerScript? Our company is trying to to fix the vulnerability due to this package. Please find the related article. https://www.lunasec.io/docs/blog/log4j-zero-day/

Though we are not using any java based package externally in our application, we want to be sure it is not impacting PowerBuilder based application.

Please advice.

Thank you for your help.

Vipin

Apache Log4j Security Vulnerabilities
LOG4J ??
Accepted Answer
Armeen Mazda @Appeon
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 14 December 2021 17:10 PM UTC
  2. PowerBuilder
  3. # Permalink

Please see attached security bulletin from Appeon.

Attachments (1)
Appeon Security Bulletin- CVE-2021-44228.pdf
Comment
There are no comments made yet.
Responses (4)
Miguel Leeuwe
Miguel Leeuwe Accepted Answer Pending Moderation
  1. Thursday, 16 December 2021 13:45 PM UTC
  2. PowerBuilder
  3. # 1

If anyone is looking for a scanning tool, I found this one very useful:

https://github.com/mergebase/log4j-detector

regards

Comment
There are no comments made yet.
Armeen Mazda @Appeon
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Monday, 13 December 2021 18:29 PM UTC
  2. PowerBuilder
  3. # 2

Hi Vipin

As Chris mentioned, PowerBuilder does not use Java internally (anymore).  Specifically, EAServer and other Java features of PowerBuilder were discontinued long ago.  My guess is Log4j is just something left over, but I still suggest you open a support ticket so we can carefully investigate and properly track this issue.

Best regards,
Armeen

Comment
Load more comments
Armeen Mazda @Appeon
  1. Armeen Mazda @Appeon
  2. Monday, 13 December 2021 19:03 PM UTC
Great, thanks.
  1. Helpful
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Monday, 13 December 2021 19:06 PM UTC
Ups, so did I ...
  1. Helpful
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Monday, 13 December 2021 19:09 PM UTC
Ok Vipin, yours must be "private" since I didn't see it.
  1. Helpful
There are no comments made yet.
Chris Pollach @Appeon
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Friday, 10 December 2021 23:34 PM UTC
  2. PowerBuilder
  3. # 3

Hi Vipin;

   PowerBuilder does not use any Java internally. You can consume Java Classes though if your App requires. 

   For logging, I would recommend that you code your own (very simple to do). I mentioned this in my Elevate conference session on PowerServer unsupported features about PB Apps that can log to the O/S debug queue, OS App Event Queue or their own logging queue.

Regards ... Chris

Comment
Vipin Dwivedi
  1. Vipin Dwivedi
  2. Monday, 13 December 2021 18:45 PM UTC
Thank you Chris. Basically I am not coding any logging feature to the application. We wanted to ensure whether PB is making any internal java code having log4j feature/code.
  1. Helpful
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Monday, 13 December 2021 19:05 PM UTC
That's great to hear Chris!

We DO connect using JDBC to our Tibero database. So is it allright to simply DELETE these files?



Directory of C:\Appeon2017\Shared\PowerBuilder\WEB-INF\lib

17/10/2016 13:22 489,883 log4j-1.2.8.jar

and

Directory of C:\Program Files (x86)\Sybase\Shared\PowerBuilder\WEB-INF\lib

25/06/2015 12:51 352,668 log4j-1.2.8.jar



Why is Appeon still distributing these files if they're no longer used by PB, as Armeen says?

regards

MiguelL





  1. Helpful
Chris Pollach @Appeon
  1. Chris Pollach @Appeon
  2. Monday, 13 December 2021 20:15 PM UTC
Hi Vipin;

Yes, the old Log4J is still there under the IDE. I believe that this was when dealing with the old Source Code Managers that were Java based. I do not believe that it's used any more though. I have asked Engineering for a definitive answer though. Hopefully, we can remove this for PB 2022. I will let you know.

Regards ... Chris
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.