Apache Log4j vulnerability

With news of the recent Log4j vulnerability, we at Hawk Ridge Systems would like to share the following information on this matter.

The security implications on SOLIDWORKS and related products remain an ongoing investigation and this article will be updated according to the latest information given. Currently, there are no identified impacts for SOLIDWORKS desktop applications. 

Please see the following link for information directly from Dassault Systèmes : QA00000102301e - DS Support Knowledge Base / Question & Answer (3ds.com)

 

Apache Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832, CVE-2022-23307, CVE-2022-23302, CVE-2022-23305, CVE-2021-4104 )
Are Dassault Systèmes solutions impacted by Log4j vulnerability?
First publication date: 2021-12-13
Last update date: 2022-03-08 . 09:30 AM (Paris time)
Current Version: 2.2 (see at the bottom of this article for changes summary)
 
IMPORTANT UPDATE (Feb 17, 2022. 6PM Paris time)
Following the CVE-2022-23307 publication (but also CVE-2022-23302, CVE-2022-23305, CVE-2021-4104), related to log4j 1.2.x releases, Dassault Systemes has engaged a deep impact analysis.
This analysis revealed that there is no significant risk to exploit existing vulnerabilities within our Solutions (the vulnerabilities described in above CVE only exist in very specific, non-default and rare configuration that 3DS do not use)
 
In parallel, Dassault Systemes has already engaged a plan to remove remaining log4j 1.x libraries from supported Solutions.
 

IMPORTANT UPDATE (Jan 31st, 2022. 6PM Paris time)

We have started to update some immediate remediation procedures and emergency fixes procedures with Log4j 2.17.1 (see history for detail)

IMPORTANT UPDATE (Dec 17th, 2021. 3PM Paris time)

Following the recent announcement from Apache (see here)  on Dec, 17th relative to CVE-2021-45046, for which CVSS score has been raised from 3.7 to 9.0 and impacting all log4j releases except 2.16 and 2.12.2, the procedures and emergency fixes in this article have been updated with log4j 2.16 to reflect this change.

 

Context:

Dassault Systèmes is aware of the security issue related to open-source Apache Log4j Utility (CVE-2021-44228 & CVE-2021-45046 & CVE-2021-44832 and also CVE-2022-23302, CVE-2022-23305, CVE-2021-4104) and our Cybersecurity team has been actively investigating any potential impact of this vulnerability since Friday, December 10th.

 

 

For all Dassault Systèmes Solutions not listed in "Impacted Solutions" section below, there is no known impact 

  • The procedures attached to this article must be applied only if you are concerned by one of the solutions above.

  • A few investigations are still on going, so please stay tuned to this article. 

 

-----------------------------------------------------------------------------------------------------------------------------------------

Impacted Solutions:

3DEXPERIENCE platform SaaS 

  • In the hours following the announcement, Dassault Systèmes took immediate measures, as part of our vulnerability and threat intelligence processes, to mitigate potential risks related to 3DEXPERIENCE platform SaaS offering.
  • We are asking our Cloud users of Collaborative Designer for X-CAD to update to the version HF0.4 ( available since Dec 14th - 7PM Paris Time).

  • There is no expected action from our 3DEXPERIENCE platform Cloud customers not using Collaborative Designer for X-CAD. 

 

3DEXPERIENCE platform On-Premise

You have actions to perform only if you have installed one of the following medias.

All other 3DEXPERIENCE platform medias are not impacted.

 

  • EXALEAD KPI "Business Insight Installation" media

Impacted levels: from R2021x

Impacted Roles: Cost Intelligence, Weight and Balance

Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:1adb3700862e3bba34e26cb92ffe62f9

Initial Immediate remediation: Please follow procedure by clicking here

 

  • "XCADDesignConnectors" media

Impacted levels: from R2020x HF1 (FP2006) and Upper, R2021x and R2022x

Impacted Roles  : PLM Collaboration Services for Altium Designer, Collaborative Designer for Altium Designer, Collaborative Designer for Cadence Allegro

Emergency fix remediation for Collaborative Designer for Cadence Allegro: Click here to download the emergency fix for Client (Support account needed).  md5sum: 094ad66b8770101cb6b407f34cf36452

Emergency fix remediation for Collaborative Designer for Altium Designer: Click here to download the emergency fix for Client (Support account needed).  md5sum: d63bda905729899dd6bb4bc8b146c5c0

Initial Immediate remediation: Please follow procedure by clicking here

 

  • "AutoVue 3D Viewer" & "AutoVue 2D Viewer"

Impacted levels: 3DEXPERIENCE platform starting with R2017x FP1926 and higher

Include a vulnerable ORACLE component. Please refer to this ORACLE article (access to "My Oracle Support" with approved active Support Identifiers required to access the article)

Emergency fix remediation:

  • Click here to download the emergency fix for Client (Support account needed).  md5sum:048f771a95f0375c8fd2f44b306d7328

  • Click here to download the emergency fix for Server (Support account needed).  md5sum:381ce8df31ca3a05d3b0676ba19daaed

Initial Immediate remediation: Please follow procedure by clicking here

 

CATIA No Magic 

Impacted levels: R2021x Refresh 1 & 2

Fixed version of CATIA MAGIC/No Magic R2021x Refresh 1 available on https://software.3ds.com
Navigate to CATIA, No Magic, NoMagic R2021x select Refresh 1 and select the "Fixes for this Level"

Fixed version of CATIA MAGIC/No Magic R2021x Refresh 2 available on https://software.3ds.com
Navigate to CATIA, No Magic, NoMagic R2021x select Refresh 2 and select the "Fixes for this Level"

 

Initial Immediate remediation: Please follow procedure by clicking here

You can also find more details in dedicated CATIA No Magic webpage (click here)

 

BIOVIA Biological Registration and BIOVIA Chemical Registration 

Impacted levels: BIOVIA2019, BIOVIA2020, BIOVIA2021 & BIOVIA2022

Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:99541bd73347d507b39d7bc4395ae94c

Initial Immediate remediation: Please follow procedure by clicking here

 

BIOVIA Hub package

Impacted levels: BIOVIA2020, BIOVIA2021 & BIOVIA2022

Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:d6456bc37bcfead438b2e69f24f21856

Initial Immediate remediation. Please follow procedure by clicking here

 

BIOVIA Pipeline Pilot Next Generation Sequencing Collection

Impacted levels: BIOVIA2019, BIOVIA2020, BIOVIA2021 & BIOVIA2022

Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:99541bd73347d507b39d7bc4395ae94c

Initial Immediate remediation. Please follow procedure by clicking here

 

BIOVIA Pipeline Pilot BIOVIA BiologyGPL Collection 

Impacted levels: BIOVIA2019, BIOVIA2020, BIOVIA2021 & BIOVIA2022

Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:99541bd73347d507b39d7bc4395ae94c

Initial Immediate remediation. Please follow procedure by clicking here

 

SIMULIA CST STUDIO Suite

Impacted levels: V2021, V2022

Initial Immediate remediation. Please follow procedure by clicking here


DELMIA Quintiq

Impacted levels: All

Emergency fix remediation for Quintiq 2021 refresh4 HF2 (6.2.4): Click here to download the emergency fix (Support account needed). md5sum:9ba2f5d2018d40fdd9699c1364783999

 

Emergency fix remediation for Quintiq 2020 refresh9 HF2 (6.1.9)

  • Volume 1/2: Click here to download the emergency fix (Support account needed). md5sum:b1f40d0a4b89433b062a82ba0d61566e
  • Volume 2/2: Click here to download the emergency fix  (Support account needed). md5sum:b790f0be3aa376d999354db5112d327d

 

Emergency fix remediation for Quintiq 6.0 refresh10 HF2 (6.0.10):

  • Volume 1/2: Click here to download the emergency fix (Support account needed). md5sum:19095433e0c02985417ca967d9181eaf
  • Volume 2/2: Click here to download the emergency fix (Support account needed). md5sum:397a85997eb809e956b38b9bcdef5a01

 

Emergency fix remediation for Quintiq 5.6 refresh25 HF2 (5.6.2.5): Click here to download the emergency fix (Support account needed). m5dsum:91c9d82cdd7300709493e4166b74ad9d

Emergency fix remediation for Quintiq 5.5 refresh25 HF2 (5.5.2.5): Click here to download the emergency fix (Support account needed). md5sum:8fb73bc1c5f261c68c1dad114ceaadb2

Emergency fix remediation for Quintiq 5.4 refresh26 HF1 (5.4.2.6): Click here to download the emergency fix (Support account needed). md5sum:7e294f9a292dd4beeabf4a685dea730a

Emergency fix remediation for Quintiq 5.3 Refresh25 HF1 (5.3.2.5 HF1): Click here to download the emergency fix (Support account needed). md5sum:7e52415bcd95a8a27c95d664862dff5f

Emergency fix remediation for Quintiq 5.2 Refresh25 HF1 (5.2.2.5 HF1): Click here to download the emergency fix (Support account needed).md5sum:831022059562ba7f294c86f14f435e51

 

Emergency fix remediation for Quintiq Maps (PTV)  fixing for all Quintiq levels:

  • Volume 1/2: Click here to download the emergency fix (Support account needed).   md5sum:ff360674d4fa5ea1527952ef182fa777
  • Volume 2/2: Click here to download the emergency fix (Support account needed). md5sum:27a941ca5248a2231fbe356aa697f9f9

 

Initial Immediate remediation. Please follow procedure by clicking here [Procedure updated on Mar, 8th, 2022. 10:30 AM]

 

DELMIAWorks

Impacted levels: All

You have no action to perform. Please have a look at our recommendation by clicking here

 

DELMIA QUEST and VMAP

Impacted levels: All

You have no action to perform. Please have a look at our recommendation by clicking here

 

ENOVIA Qumas EDMS 

Impacted levels: QUMAS E Portfolio 2022x GA, QUMAS E Portfolio 2021x RF1, QUMAS E Portfolio 2021x GA

Emergency fix remediation: Click here to download the emergency (Support account needed). md5sum:bc9c77669f7da18da1d56dfdf7585b0e

Initial Immediate remediation: Please follow procedure by clicking here

 

ENOVIA Qumas EQMS 

Impacted levels: QUMAS E Portfolio 2022x GA, QUMAS E Portfolio 2021x RF1, QUMAS E Portfolio 2021x GA, QUMAS E Portfolio 2020x RF1, QUMAS E Portfolio 2020x GA, QUMAS E Portfolio 2017x GA HF1

Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:bc9c77669f7da18da1d56dfdf7585b0e

Initial Immediate remediation: Please follow procedure by clicking here

 

ENOVIA SmarTeam

Impacted levels: from V5-6 R2018 and higher releases

  • "AutoVue Viewer" 

Includes a vulnerable ORACLE component. Please refer to this ORACLE article (access to "My Oracle Support" with approved active Support Identifiers required to access the article)

Emergency fix remediation: Click here to download the emergency fix (Support account needed). md5sum:  bd79d66d38d68593950fd3e798ba05ae

Initial Immediate remediation: Please follow procedure by clicking here

-----------------------------------------------------------------------------------------------------------------------------------------

Version History

Version Publication date Content summary
1.0 2021-12-13
  • First publication.
  • 3DEXPERIENCE Platform SaaS solutions fixed
  • Impacted Solutions announcement with manual and immediate remediation procedures
1.1 2021-12-15
  • New impacted solutions: ENOVIA SMARTEAM AutoVue, 3DEXPERIENCE Platform On Premise AutoVue, ENOVIA Qumas with manual and immediate remediation procedures
1.2 2021-12-16
  • Procedures added for ENOVIA SMARTEAM AutoVue, 3DEXPERIENCE Platform On Premise AutoVue
  • New impacted solutions: BIOVIA with manual and immediate remediation procedures
1.3 2021-12-17
  • Procedures updated with log4j 2.16
  • New impacted solutions: BIOVIA with manual and immediate remediation procedures
1.4

2021-12-17

10PM Paris time

  • Emergency fixes download added for 3DEXPERIENCE platform On premise Business Insights Installation & 3DEXPERIENCE platform On premise "AutoVue 3D Viewer" and "AutoVue 2D Viewer"
1.5

2021-12-20

2PM Paris time

  • Updated procedure for DELMIA Quintiq
1.6

2021-12-20

7PM Paris time

  • Emergency fixes download added for Collaborative Designer for Cadence Allegro, Collaborative Designer for Altium Designer, BIOVIA Biological Registration and BIOVIA Chemical Registration, BIOVIA Hub package, BIOVIA Pipeline Pilot Next Generation Sequencing Collection, BIOVIA Pipeline Pilot BIOVIA BiologyGPL Collection
1.7

2021-12-20

10:30 PM Paris time

  • CATIA NoMagic procedure updated (V3)
1.8

2021-12-21

4:30 PM Paris time

  • Emergency fixes download added for DELMIA Quintiq
  • Final fixed version for CATIA NoMagic added
1.9

2021-12-22

11:30 AM Paris time

  • Emergency fixes updated for 3DEXPERIENCE platform On premise "AutoVue 3D Viewer" and "AutoVue 2D Viewer"
  • Updated procedure for DELMIA Quintiq
  • Updated procedure for ENOVIA SMARTEAM
1.10

2021-12-22

3 PM Paris time

  • Updated procedure for 3DEXPERIENCE platform On premise "AutoVue 3D Viewer" and "AutoVue 2D Viewer"
  • Added procedure for DELMIA Quintiq 5.6 refresh25 HF2
1.11

2021-12-22

7 PM Paris time

  • Added Emergency fix for CATIA MAGIC/No Magic R2021x Refresh 2 
  • Added Emergency Fix for ENOVIA SMARTEAM
1.12

2021-12-23

8:30 PM Paris time

  • Updated procedure for DELMIA Quintiq
  • Added Emergency fix for BIOVIA Hub package
1.13

2021-12-24

3:00 PM Paris time

  • Updated procedure for DELMIA Quintiq
  • Added procedure for DELMIA Quintiq 5.3 Refresh25 HF1 (5.3.2.5 HF1) & DELMIA  Quintiq 5.2 Refresh25 HF1 (5.2.2.5 HF1)
1.14

2022-01-05

3:00 PM Paris time

  • Updated procedure for DELMIA Quintiq
1.15

2022-01-11

3:30 PM Paris time

  • Updated procedure for DELMIA Quintiq
  • Updated procedure for CATIA MAGIC/No Magic (with Log 4j 2.17.1)
1.16

2022-01-28

2:00 PM Paris time

  • Updated procedure for DELMIA Quintiq (with Log 4j 2.17.1)
1.17

2022-01-31

9:30 AM Paris time

  • Updated procedure for 3DEXPERIENCE platform On premise "AutoVue 3D Viewer" and "AutoVue 2D Viewer" (with Log 4j 2.17.1)
  • Updated procedure for ENOVIA SMARTEAM (with Log 4j 2.17.1)
1.18

2022-01-31

6:00 PM Paris time

  • Added Emergency Fix for ENOVIA SMARTEAM (with Log 4j 2.17.1)
1.19

2022-02-01

12:00 PM Paris time

  • Adding CVE-2021-44832 reference
1.20

2022-02-03

12:30 PM Paris time

  • Emergency fixes updated for 3DEXPERIENCE platform On premise "AutoVue 3D Viewer" and "AutoVue 2D Viewer" (with Log 4j 2.17.1)
2.0

2022-02-18

10:30 AM Paris time

  • Update about log4j 1.2.x & CVE-2022-23307, CVE-2022-23302, CVE-2022-23305, CVE-2021-4104
2.1

2022-03-07

10:30 AM Paris time

  • Adding SIMULIA CST Studio suite immediate remediation procedure
  • Updated procedure for DELMIA Quintiq
2.2

2022-03-08

09:30 AM Paris time

  • New procedure for DELMIA QUEST & VMAP
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.