Log4Shell vulnerability (CVE-2021-44228)
  • 22 Jun 2022
  • 1 Minute to read

Log4Shell vulnerability (CVE-2021-44228)


[Final Update]
All the latest releases of Altium products are safe from the log4j vulnerabilities.
A365 does not require any action from the user and is safe to use.

[Update December 23rd]
We are aware of the new vulnerability found within log4j and are closely monitoring the situation.
https://logging.apache.org/log4j/2.x/security.html

[Update December 23rd]
As an alternative to the patch, we have also released full updates to Altium Concord PRO and Altium Nexus Server 4.+ versions that update log4j to version 2.17.0 and remove the unused binary elasticsearch-sql-cli-6.4.2.jar.
https://www.altium.com/products/downloads

[Update December 21st]
Out of an abundance of caution and to not trigger false positives from vulnerability scanners we are providing and recommending the following patch to update log4j2 to 2.17.0.
This guidance is in line with Elastics recommendations

Patch supports Altium Concord PRO/ Altium Nexus Server 4.+ versions.
Security Patch

Altium Concord Pro / Altium NEXUS Server versions 3.X, 2.X, 1.x, Altium Vault Server, and Altium Infrastructure Server do not contain the vulnerable version of log4j2 and do not require this security patch.

[Original]
The Altium security team has confirmed that our products, websites and internal infrastructure environment are not at risk for Log4Shell vulnerability, CVE-2021-044228.

Our Altium Nexus Server and Altium Concord Pro product does come with ElasticSearch 6.4.2 version which is executed on JDK 8 U192 and contains a log4j file. However, per ElasticSearch statements, which Altium has verified, this specific version is not susceptible to remote code execution due to the use of the Java Security Manager. For any extensions installed for use with Altium Designer, please refer to the extension software company for their status. We will continue to remain vigilant and monitor the situation.


Was this article helpful?