Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (3)

Resolved Log4j Vulnerability / CVE-2021-44228

  1. Issue
1
Votes
Undo
  1. Anthony Duncan
    Anthony Duncan
  2. PowerBuilder
  3. Monday, 13 December 2021 14:13 PM UTC

We are using Powerbuilder v2019 R2 Build 2353. I see that log4j is installed to our development machines as part of the standard Powerbuilder IDE install.

Can you please confirm what action/mitigations we will need to take to ensure that a) our Pb development environment is safe for our developers to use and b) that our Pb developed applications are also safe for our business users to use?

At this time, we have asked all developers & business users to refrain from using Powerbuilder until we can clarify the situation.

Git revert fails with Powerbuilder 2021
XML beautify/pretty print
Responses (3)
Armeen Mazda @Appeon
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 14 December 2021 17:10 PM UTC
  2. PowerBuilder
  3. # 1

Please see attached security bulletin from Appeon.

Attachments (1)
Appeon Security Bulletin- CVE-2021-44228.pdf
Comment
Load more comments
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Tuesday, 14 December 2021 22:09 PM UTC
Will let you know tomorrow.
  1. Helpful
Chris Pollach @Appeon
  1. Chris Pollach @Appeon
  2. Wednesday, 15 December 2021 16:13 PM UTC
Hi Miguel wt Al;

Note that the Appeon PB runtime via the PB Packager and the PB Help file's "Deployment" section never asked you to deploy the L4J software with your App EXE's - thus, the production environments should be clear of any L4J software. This was only an IDE related issue.

The L4J software though could exist in other related products, for example: IBM, Serena, Sybase, IDERA etc. However since these are external products to PB, you would need to deal with this vulnerability with those particular software vendors (of course for Sybase, that would now be SAP).

Regards ... Chris
  1. Helpful
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Thursday, 16 December 2021 18:15 PM UTC
You're right Chris. I just assumed it would be in the runtime when packaging, but it turns out that in our case we have never distributed these 2 files

regards
  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Monday, 13 December 2021 18:28 PM UTC
  2. PowerBuilder
  3. # 2

Hi Anthony,

EAServer and other Java features of PowerBuilder were discontinued long ago.  My guess is Log4j is just something left over, but I don't see how that would be used by your PB apps because no matter you do traditional client/server or cloud projects PowerBuilder is not using Java.  Traditional client/server uses C/C++ and cloud projects use C#/.NET Core.  At any rate, I suggest you open a support ticket so we can carefully investigate and properly track this issue.

Best regards,
Armeen

Comment
Load more comments
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Monday, 13 December 2021 19:38 PM UTC
yes, I did that already, before answers started pooring in. So I'll wait and see.

Thanks!
  1. Helpful
Armeen Mazda @Appeon
  1. Armeen Mazda @Appeon
  2. Monday, 13 December 2021 19:52 PM UTC
Great, thanks!
  1. Helpful
Roland Smith
  1. Roland Smith
  2. Thursday, 16 December 2021 14:07 PM UTC
I'm wondering if the entire WEB-INF folder should be removed from the install. My guess is that it is for JSP Web Pages which was removed in 11.5. The dxre folder has no obvious use so might be able to be removed.
  1. Helpful
There are no comments made yet.
Miguel Leeuwe
Miguel Leeuwe Accepted Answer Pending Moderation
  1. Thursday, 16 December 2021 13:45 PM UTC
  2. PowerBuilder
  3. # 3

If anyone is looking for a scanning tool, I found this one very useful:

https://github.com/mergebase/log4j-detector

regards

Comment
Armeen Mazda @Appeon
  1. Armeen Mazda @Appeon
  2. Thursday, 16 December 2021 16:32 PM UTC
Thanks for sharing Miguel!
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.