You may have heard that there is a critical security vulnerability in the “log4j” library that is used by many applications in the Java ecosystem and you might be wondering if this impacts your OpenEdge environment.
At this time we do not know of any specific, direct impact to OpenEdge.
In OpenEdge 11.7 PASOE and the OE REST adapter do use log4j but it is version 1 of log4j which is not currently believed to be vulnerable to this exploit.
For OpenEdge 12.2, PASOE, and the underlying Tomcat instance do not appear to use log4j at all so we believe that they are safe.
ProTop does not use log4j nor does any of the ProTop portal infrastructure.
None the less we encourage everyone to carefully review their Java infrastructure. Many add on components may have incorporated log4j and the vulnerability is being actively exploited. If you have internet facing infrastructure you should act immediately to mitigate the use of log4j by either upgrading to the patched release or by taking the temporary steps described in the articles below.
For more detailed information the following resources are a good start:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html
Content provided by Consultingwerk, Riverside Software and White Star Software
