We have reviewed all Heirloom Computing services for impact for the issue described in Vulnerability CVE-2021-44228 and CVE 2021-45046.
Vulnerable Log4J version 2.x has been used as dependency only in the Heirloom SDK Eclipse plugin component com.heirloomcomputing.ecd.core_x.x.x.
We have updated our product build accordingly and a new release is available at:
https://products.heirloomcomputing.com/elastic_cobol/release/
We recommend you update your development workstations as soon as possible.
Replacing Log4J libraries manually
If you do not plan on updating the Heirloom plugin version you need to update your Eclipse plugin manually. Follow the steps below to update log4j libraries:
1. Find the place where your Eclipse plugins are installed. It may be your home directory under .eclipse or in the Eclipse installation folder itself.
2. Locate the Heirloom ECD core plugin, it will be in the following format:
com.heirloomcomputing.ecd.core_x.x.x
3. Replace the log4j libraries located in:
<eclipse>\plugins\com.heirloomcomputing.ecd.core_x.x.x\elastic_cobol\lib
3.1. Replace log4j-api-2.11.2 with log4j-api-2.16.0 - this can be downloaded from:
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar
3.2. Replace log4j-core-2.11.2 with log4j-core-2.16.0 - this can be downloaded from:
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-core-2.16.0.jar
Elastic Batch Platform & deployed applications
We do not bundle the Log4J components in the Elastic Batch Platform (EBP), or in replatformed batch or online application packages (jars, wars, ears). There are no required changes to either your EBP installation or application packages built with default components.
However, if you have manually added Log4J 2.x components in your application packages you should update them to the latest available jar via the links above.
If you have additional questions about these steps, or in general about Log4J vulnerability please contact support.
0 Comments