Applications that may have "log4j" vulnerabilities

Owned by Steve Maser
Last updated: May 23, 2022
2 min read

Current versions of izzy-deployed applications were scanned for “log4j” .jar files to see if any of them had less than the recommended “2.16” version that patches the vulnerability mentioned here: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

We will be actively checking for new versions of these applications as they become available and will release them as soon as possible. Please be aware that only the latest versions of applications available via izzy were tested – so it should be presumed that any older versions of these applications have the same problem.

Current (5-23-2022) list Applications that have log4.jar files and statements (if applicable) as to their vulnerability status

Arduino – fixed version (1.8.19) available in Managed Software Center https://support.arduino.cc/hc/en-us/articles/4412377144338-Arduino-s-response-to-Log4j2-vulnerability-CVE-2021-44228

Avid Editor Transcode – no information found (NOTE: This does not look to be installed on clean installs on Monterey)

Code42 – server-side patches pushed Dec 20th https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents

Cyberduck – appears unaffected: “Cyberduck isn't using Log4j 2 and doesn't include any capability of sending or receiving logs from any remote source or target.

This is discussed in https://github.com/iterate-ch/cyberduck/issues/12648

Cytoscape – fixed version (3.9.1) available in Managed Software Center soon https://cytoscape.org

DNAStar LaserGene – not affected https://www.dnastar.com/blog/product-notifications/log4j-vulnerability-is-not-known-to-affect-dnastar-products/

Fiji – no information found. However, ImageJ apparently does not contain a log4j file.

IDL – appears unaffected: https://www.l3harrisgeospatial.com/Support/Self-Help-Tools/Help-Articles/Help-Articles-Detail/ArtMID/10220/ArticleID/24141/Impact-of-Log4j-Java-Security-Vulnerability-CVE-2021-44228-on-L3Harris-Geospatial-software

SPSS 27 and 28 – SPSS Fix available in Managed Software Center

JMP Pro 16 – appears unaffected: https://support.sas.com/en/security-bulletins/remote-code-execution-vulnerability-cve-2021-44228.html#221dd3cc-e79a-45e6-bb60-c6814622e1e4

Maple – appears unaffected: https://faq.maplesoft.com/s/article/Are-Maplesoft-products-affected-by-the-Apache-Log4j-CVE-2021-44228-vulnerability?language=en_US

Mathematica 13 – appears unaffected: https://support.wolfram.com/56848

Matlab 2021b – appears unaffected: https://www.mathworks.com/matlabcentral/answers/1610640-apache-log4j-vulnerability-cve-2021-44228-how-does-it-affect-matlab

NetLogo 6.2.2 – Limited to Hubnet (unused?) with mitigation indicated here: https://github.com/NetLogo/NetLogo/issues/2001

OpenRefine – fixed version (3.5.1) available in Managed Software Center

PCClient – https://www.papercut.com/kb/Main/Log4Shell-CVE-2021-44228#product-status (Version 19 is deployed with Network printing package)

Specify – Per an e-mail forwarded from LSA from their tech support to consortium users on Dec 13, 2021: “Specify 6 is not affected by the vulnerability. The version of Log4j that Specify 6 includes is not vulnerable to this exploit.”

SQL Developer – fixed version (2.14.1) available in Managed Software Center

Xcode – mitigated version 13.2.1 available in Managed Software Center. Per the Developer Release notes: “

  • Xcode contains a copy of the log4j library that has the CVE-2021-44228 security vulnerability. Xcode automatically downloads an updated version of this library and installs it into ~/Library/Caches/com.apple.amp.itmstransporter. When submitting apps to the App Store, Xcode uses the updated version of the library. (86390060)