Log4j Vulnerability
Is dSPACE software affected by the so-called Log4j vulnerabilities?
We are getting requests from our customers who are concerned about the so-called Log4j vulnerabilities.
The security vulnerabilities are related to Log4j, a Java-based open source Apache logging framework widely used in enterprise environments to record events and messages generated by software applications.
In general, based on our software dependency analysis, dSPACE products are not affected by the below listed vulnerabilities in different versions of the Log4J library.
Either another version without this vulnerability is used or the vulnerable code is not included, even if the Log4J APIs are used.
This analysis result also applies to the third-party components installed with our software.
| CVE Dictionary Entry | Our assessment |
|---|---|
|
The vulnerabilities affect a remote code execution case in Log4j. |
|
|
This vulnerability affects the use of the SocketServer to send log information. |
|
|
This vulnerability affects the use of SMTPAppender to log information in the relevant implementation in dSPACE software, ConsoleAppender and RollingFileAppender are used, so dSPACE software is not vulnerable to this CVE. |
|
|
This vulnerability affects the use of JMSAppender to log information |
|
|
This vulnerability affects the lack of protection against uncontrolled recursion through self-referential lookups. |
|
|
This vulnerability affects a possible remote code execution (RCE) attack. |
|
| CVE-2022-23302 | This vulnerability affects the use of JMSSink to log information. In the relevant implementation in dSPACE software JMSSink is not configured to be used, so dSPACE software is not vulnerable to this CVE. |
| CVE-2022-23305 | This vulnerability affects the use of JDBCAppender to log information. In the relevant implementation in dSPACE software, ConsoleAppender and RollingFileAppender are used, so dSPACE software is not vulnerable to this CVE. |
| CVE-2022-23307 | This vulnerability affects the use of the Chainsaw user interface to view logging information. In the relevant implementation in dSPACE software this software component is not configured to be used, so dSPACE software is not vulnerable to this CVE. |
| CVE-2023-26464 |
This vulnerability affects the use of SocketAppender to log information. In the relevant implementation in dSPACE software, ConsoleAppender and RollingFileAppender are used, so dSPACE software is not vulnerable to this CVE. This vulnerability affects also the use of the Chainsaw user interface to view logging information. In the relevant implementation in dSPACE software this software component is not configured to be used, so dSPACE software is not vulnerable to this CVE. With ControlDesk newer than 7.4p2 the chainsaw component is removed. |
| Date | 2023-06-30 |
| Information Type | Notifications |
| Information Category | Product Security, Troubleshooting |
| dSPACE Release | 2023-A, 2022-B, 2022-A, 2021-B, 2021-A, 2020-B, 2020-A, 2019-B, 2019-A, 2018-B, 2018-A, 2017-B , 2017-A, 2016-B, 2016-A, 2015-B, 2015-A, 2014-B, 2014-A, 2013-B, 2013-A, Prior to 2013-A |
Drive innovation forward. Always on the pulse of technology development.
Subscribe to our expert knowledge. Learn from our successful project examples. Keep up to date on simulation and validation. Subscribe to/manage dSPACE direct and aerospace & defense now.