Bug 7667

Log4j2 Vulnerability 10 January, 2022

Pete Yankovich
15 December, 2021
Product: PowerBuilder Category: Installation
Version: 2017 R2 Build: 1769
Classification: Issue Publishing: Public
Priority: P1
Status: Closed Reason: NO RESPONSE
Miguel Leeuwe 28 December, 2021
#8
To answer Pete's initial question. I found this little tool very helpful as it also detects log4j embedded within other jar files:
https://github.com/mergebase/log4j-detector
Chris Pollach @Appeon 22 December, 2021
#7
Hi Pete;

   Based on our policy we have made 3 different attempts to contact you and
determine if this ticket has been solved, unfortunately, we did not get any
response and thus, we will now proceed to close it.  

  If you consider this issue still not to be fixed, please open a new support ticket. Thank you for understanding.

Regards ... Chris
Chris Pollach @Appeon 20 December, 2021
#6
Hi Pete;

  Were you able to resolve this issue?

Regards ... Chris
Chris Pollach @Appeon 15 December, 2021
#5
Hi Pete;

  Yes, the various versions/builds of the Appeon PB runtime never used or asked you to deploy the L4J files. So your Appeon based App EXE's should be fine. It's only the PB IDE that still had this old remnant and should only expose the need for L4J during a compile / full build) operation. If that does not occur, your Apps(s) should be fine.

Hi Shoaib;

  Yes, the L4J software could certainly exist in other products outside of Appeon PB. However since these are external products, you would need to deal with this vulnerability with those particular software vendors (of course for Sybase, that would now be SAP).

Regards ... Chris
Pete Yankovich 15 December, 2021
#4
Chris,
Our apps do not deploy with the log4j files.  I would assume then, that there are no requirements for that functionality.  Also, the apps do not employ the three services you mentioned.
Thanks for your prompt response.
Pete
shoaib siddiqui 15 December, 2021
#3
these files also exist in other folders too, i.e. IBM, Serena, Sybase, IDERA etc
Chris Pollach @Appeon 15 December, 2021
#2
Appeon Security Bulletin
Chris Pollach @Appeon 15 December, 2021
#1
Hi Pete;

    I am just guessing that this could have been used for either: Java based EAServer; Java based Source Code Management software or Java based EASY SOAP web services. All of which have been deprecated long ago.

    I would remove the LOG4J from your environment (as per the attached) and then redeploy your App(s) and test. I would be very surprised if any L4J need pops up.

Regards ... Chris
Pete Yankovich 15 December, 2021
I believe all PB apps in our environment are Windows apps, but how do I determine if any features used by the apps require Log4j?
OS:
Windows 10
Platform:
All
Database Type:
Microsoft SQL Server
Database Version:
13.0.6300.2