Applications that may have "log4j" vulnerabilities
Current versions of izzy-deployed applications were scanned for “log4j” .jar files to see if any of them had less than the recommended “2.16” version that patches the vulnerability mentioned here: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
We will be actively checking for new versions of these applications as they become available and will release them as soon as possible. Please be aware that only the latest versions of applications available via izzy were tested – so it should be presumed that any older versions of these applications have the same problem.
Current (5-23-2022) list Applications that have log4.jar files and statements (if applicable) as to their vulnerability status
Arduino – fixed version (1.8.19) available in Managed Software Center https://support.arduino.cc/hc/en-us/articles/4412377144338-Arduino-s-response-to-Log4j2-vulnerability-CVE-2021-44228
Avid Editor Transcode – no information found (NOTE: This does not look to be installed on clean installs on Monterey)
Code42 – server-side patches pushed Dec 20th https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents
Cyberduck – appears unaffected: “Cyberduck isn't using Log4j 2 and doesn't include any capability of sending or receiving logs from any remote source or target.
This is discussed in https://github.com/iterate-ch/cyberduck/issues/12648 “
Cytoscape – fixed version (3.9.1) available in Managed Software Center soon https://cytoscape.org
DNAStar LaserGene – not affected https://www.dnastar.com/blog/product-notifications/log4j-vulnerability-is-not-known-to-affect-dnastar-products/
Fiji – no information found. However, ImageJ apparently does not contain a log4j file.
IDL – appears unaffected: https://www.l3harrisgeospatial.com/Support/Self-Help-Tools/Help-Articles/Help-Articles-Detail/ArtMID/10220/ArticleID/24141/Impact-of-Log4j-Java-Security-Vulnerability-CVE-2021-44228-on-L3Harris-Geospatial-software
SPSS 27 and 28 – SPSS Fix available in Managed Software Center
JMP Pro 16 – appears unaffected: https://support.sas.com/en/security-bulletins/remote-code-execution-vulnerability-cve-2021-44228.html#221dd3cc-e79a-45e6-bb60-c6814622e1e4
Maple – appears unaffected: https://faq.maplesoft.com/s/article/Are-Maplesoft-products-affected-by-the-Apache-Log4j-CVE-2021-44228-vulnerability?language=en_US
Mathematica 13 – appears unaffected: https://support.wolfram.com/56848
Matlab 2021b – appears unaffected: https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab
NetLogo 6.2.2 – Limited to Hubnet (unused?) with mitigation indicated here: https://github.com/NetLogo/NetLogo/issues/2001
OpenRefine – fixed version (3.5.1) available in Managed Software Center
PCClient – https://www.papercut.com/kb/Main/Log4Shell-CVE-2021-44228#product-status (Version 19 is deployed with Network printing package)
Specify – Per an e-mail forwarded from LSA from their tech support to consortium users on Dec 13, 2021: “Specify 6 is not affected by the vulnerability. The version of Log4j that Specify 6 includes is not vulnerable to this exploit.”
SQL Developer – fixed version (2.14.1) available in Managed Software Center
Xcode – mitigated version 13.2.1 available in Managed Software Center. Per the Developer Release notes: “
Xcode contains a copy of the log4j library that has the CVE-2021-44228 security vulnerability. Xcode automatically downloads an updated version of this library and installs it into
~/Library/Caches/com.apple.amp.itmstransporter
. When submitting apps to the App Store, Xcode uses the updated version of the library. (86390060)