With news of the recent Log4j vulnerability, we at Hawk Ridge Systems would like to share the following information on this matter.
The security implications on SOLIDWORKS and related products remain an ongoing investigation and this article will be updated according to the latest information given. Currently, there are no identified impacts for SOLIDWORKS desktop applications.
Please see the following link for information directly from Dassault Systèmes : QA00000102301e - DS Support Knowledge Base / Question & Answer (3ds.com)
Apache Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832, CVE-2022-23307, CVE-2022-23302, CVE-2022-23305, CVE-2021-4104 ) |
Are Dassault Systèmes solutions impacted by Log4j vulnerability? |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
First publication date: 2021-12-13Last update date: 2022-03-08 . 09:30 AM (Paris time)Current Version: 2.2 (see at the bottom of this article for changes summary)
IMPORTANT UPDATE (Feb 17, 2022. 6PM Paris time)
Following the CVE-2022-23307 publication (but also CVE-2022-23302, CVE-2022-23305, CVE-2021-4104), related to log4j 1.2.x releases, Dassault Systemes has engaged a deep impact analysis. This analysis revealed that there is no significant risk to exploit existing vulnerabilities within our Solutions (the vulnerabilities described in above CVE only exist in very specific, non-default and rare configuration that 3DS do not use) In parallel, Dassault Systemes has already engaged a plan to remove remaining log4j 1.x libraries from supported Solutions. IMPORTANT UPDATE (Jan 31st, 2022. 6PM Paris time) We have started to update some immediate remediation procedures and emergency fixes procedures with Log4j 2.17.1 (see history for detail) IMPORTANT UPDATE (Dec 17th, 2021. 3PM Paris time) Following the recent announcement from Apache (see here) on Dec, 17th relative to CVE-2021-45046, for which CVSS score has been raised from 3.7 to 9.0 and impacting all log4j releases except 2.16 and 2.12.2, the procedures and emergency fixes in this article have been updated with log4j 2.16 to reflect this change.
Context: Dassault Systèmes is aware of the security issue related to open-source Apache Log4j Utility (CVE-2021-44228 & CVE-2021-45046 & CVE-2021-44832 and also CVE-2022-23302, CVE-2022-23305, CVE-2021-4104) and our Cybersecurity team has been actively investigating any potential impact of this vulnerability since Friday, December 10th.
For all Dassault Systèmes Solutions not listed in "Impacted Solutions" section below, there is no known impact
----------------------------------------------------------------------------------------------------------------------------------------- Impacted Solutions:3DEXPERIENCE platform SaaS
3DEXPERIENCE platform On-PremiseYou have actions to perform only if you have installed one of the following medias. All other 3DEXPERIENCE platform medias are not impacted.
Impacted levels: from R2021x Impacted Roles: Cost Intelligence, Weight and Balance Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:1adb3700862e3bba34e26cb92ffe62f9 Initial Immediate remediation: Please follow procedure by clicking here
Impacted levels: from R2020x HF1 (FP2006) and Upper, R2021x and R2022x Impacted Roles : PLM Collaboration Services for Altium Designer, Collaborative Designer for Altium Designer, Collaborative Designer for Cadence Allegro Emergency fix remediation for Collaborative Designer for Cadence Allegro: Click here to download the emergency fix for Client (Support account needed). md5sum: 094ad66b8770101cb6b407f34cf36452 Emergency fix remediation for Collaborative Designer for Altium Designer: Click here to download the emergency fix for Client (Support account needed). md5sum: d63bda905729899dd6bb4bc8b146c5c0 Initial Immediate remediation: Please follow procedure by clicking here
Impacted levels: 3DEXPERIENCE platform starting with R2017x FP1926 and higher Include a vulnerable ORACLE component. Please refer to this ORACLE article (access to "My Oracle Support" with approved active Support Identifiers required to access the article) Emergency fix remediation:
Initial Immediate remediation: Please follow procedure by clicking here
CATIA No MagicImpacted levels: R2021x Refresh 1 & 2 Fixed version of CATIA MAGIC/No Magic R2021x Refresh 1 available on https://software.3ds.com Fixed version of CATIA MAGIC/No Magic R2021x Refresh 2 available on https://software.3ds.com
Initial Immediate remediation: Please follow procedure by clicking here You can also find more details in dedicated CATIA No Magic webpage (click here)
BIOVIA Biological Registration and BIOVIA Chemical RegistrationImpacted levels: BIOVIA2019, BIOVIA2020, BIOVIA2021 & BIOVIA2022 Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:99541bd73347d507b39d7bc4395ae94c Initial Immediate remediation: Please follow procedure by clicking here
BIOVIA Hub packageImpacted levels: BIOVIA2020, BIOVIA2021 & BIOVIA2022 Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:d6456bc37bcfead438b2e69f24f21856 Initial Immediate remediation. Please follow procedure by clicking here
BIOVIA Pipeline Pilot Next Generation Sequencing CollectionImpacted levels: BIOVIA2019, BIOVIA2020, BIOVIA2021 & BIOVIA2022 Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:99541bd73347d507b39d7bc4395ae94c Initial Immediate remediation. Please follow procedure by clicking here
BIOVIA Pipeline Pilot BIOVIA BiologyGPL CollectionImpacted levels: BIOVIA2019, BIOVIA2020, BIOVIA2021 & BIOVIA2022 Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:99541bd73347d507b39d7bc4395ae94c Initial Immediate remediation. Please follow procedure by clicking here
SIMULIA CST STUDIO SuiteImpacted levels: V2021, V2022 Initial Immediate remediation. Please follow procedure by clicking here
|
Version | Publication date | Content summary |
---|---|---|
1.0 | 2021-12-13 |
|
1.1 | 2021-12-15 |
|
1.2 | 2021-12-16 |
|
1.3 | 2021-12-17 |
|
1.4 |
2021-12-17 10PM Paris time |
|
1.5 |
2021-12-20 2PM Paris time |
|
1.6 |
2021-12-20 7PM Paris time |
|
1.7 |
2021-12-20 10:30 PM Paris time |
|
1.8 |
2021-12-21 4:30 PM Paris time |
|
1.9 |
2021-12-22 11:30 AM Paris time |
|
1.10 |
2021-12-22 3 PM Paris time |
|
1.11 |
2021-12-22 7 PM Paris time |
|
1.12 |
2021-12-23 8:30 PM Paris time |
|
1.13 |
2021-12-24 3:00 PM Paris time |
|
1.14 |
2022-01-05 3:00 PM Paris time |
|
1.15 |
2022-01-11 3:30 PM Paris time |
|
1.16 |
2022-01-28 2:00 PM Paris time |
|
1.17 |
2022-01-31 9:30 AM Paris time |
|
1.18 |
2022-01-31 6:00 PM Paris time |
|
1.19 |
2022-02-01 12:00 PM Paris time |
|
1.20 |
2022-02-03 12:30 PM Paris time |
|
2.0 |
2022-02-18 10:30 AM Paris time |
|
2.1 |
2022-03-07 10:30 AM Paris time |
|
2.2 |
2022-03-08 09:30 AM Paris time |
|
Comments
Please sign in to leave a comment.