Update on the Apache Log4j Utility Vulnerability

Last update: 11 Jan 2022

A security issue related to open-source Apache Log4j Utility has recently been reported. TICRA’s IT-team has investigated any potential impact of this vulnerability with the following findings:

TICRA Software products do not use Java and the Log4J framework and are not vulnerable to the recent “Log4Shell” security attacks.

The Flexnet Publisher license manager available for download on TICRA support web site also is not vulnerable to the Log4Shell attack in its default configuration.

The  Flexnet Publisher download package does include source code for an optional example Java alerter application which uses the Log4J framework. In versions of Flexnet Publisher prior to 11.18.3.1 the included version of Log4J in this example application is vulnerable and hence should not be used unmodified.

Customers using the optional alerter example application from version of Flexnet Publisher prior to version 11.18.3.1  should modify it according to Flexera guidelines:

https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2021-44228-amp-CVE-2021-45105-Log4j-vulnerability-impact-on/ta-p/217384/jump-to/first-unread-message

The latest version 11.18.3.1 of Flexnet Publisher is available for download at the TICRA support site, https://support.ticra.com/flexlm