Update 12/20/21 : Following the discovery of a vulnerability in Log4J 2.16(2021-45105 vulnerability) that is less severe than the previous ones, the existing workarounds are still valid (updating manually the log4j version to the latest version 2.17).
ETA for new versions will be communicated soon.
Update 12/15/21 : following the discovery of a vulnerability in Log4J 2.15 (CVE-2021-45046) , new correction will be made available - the existing workarounds are still valid)
As a result, please find the list of impacted CAST product
- Console v1 & v2 - correction available in 1.27.0-Funcrel
- Dashboards correction available in 2.4.3-funcrel and 1.28.4-funcrel
- Imaging from 2.2.0-beta1 (a workaround exists see below) correction available in 2.7.1
- Highlight - production version containing log4J 2.16 has been updated on 12/18. Log4J is not used in the Local Agent (not Java) nor in the command line
Analyzers (JEE... ) are not impacted. The presence of LOG4J versions are always related to CAST environment profiles and resources needed to do static analysis (find links to external jars or detect external header files). So these resources are never executed.
Please also note that JEE Analyzer 1.0.X and 1.2.X and 1.3.X embeds in Environment profile an older version of log4j:1.2.14. This version is not in range from 2.0.0-beta9 to 2.15 concerned by Log4shell.
The documentation has been updated with workarounds for Console,Dashboards and Imaging and to reflect those fixes as well : https://doc.castsoftware.com/display/CAST/Apache+Log4j+-+CVE-2021-44228
This list will be updated as needed.
The first corrections will be released in the latest versions that are to be published.
This article will be updated after each new availability of corrected release.
Do not hesitate to contact support if you require specific information