Apache Log4j Vulnerability for SOLIDWORKS and 3DEXPERIENCE Products and Solutions (CVE-2021-44228)

There has been a recent security issue related to an open-source Apache Log4j Utility (CVE-2021-44228) and how it can impact SOLIDWORKS and 3DEXPERIENCE Products and Solutions.  CATI would like to address those concerns with our Users.

Dassault Systèmes is aware of the security issue related to open-source Apache Log4j Utility (CVE-2021-44228)* and our Cybersecurity team has been actively investigating any potential impact of this vulnerability since Friday, December 10th.

Apache reported that CVE-2021-44228 applies only to Log4j versions 2.0-2.14.1, and does not apply to Log4j versions 1.x”

There is no known vulnerability with SOLIDWORKS or PDM

3DEXPERIENCE platform SaaS 

·         In the hours following the announcement, Dassault Systèmes took immediate measures, as part of our vulnerability and threat intelligence processes, to mitigate potential risks related to 3DEXPERIENCE platform SaaS offering.

·         We are asking our Cloud users of Collaborative Designer for X-CAD to update to the version HF0.4 ( available since Dec 14th – 7PM Paris Time). [updated on Dec, 14th. 9PM Paris time]

·         There is no expected action from our 3DEXPERIENCE platform Cloud customers not using Collaborative Designer for X-CAD. [updated on Dec, 14th. 3PM Paris time]

3DEXPERIENCE platform On-Premise

You have actions to perform only if you have installed one of the following medias:

·         “Business Insight Installation” (from R2021x)

o    Please follow procedure by clicking here

·         “O3D_XCADDesignConnectors” (from R2020x HF1 (FP2006) and Upper, R2021x and R2022x)

o    Please follow procedure by clicking here

All other 3DEXPERIENCE Platform medias are not impacted.

DELMIA Quintiq (All levels)

You have action to perform. Click here.

DELMIAWorks

[updated on Dec, 14th. 9PM Paris time]

DELMIAWorks has been in active review of any instance of Log4J in the DELMIAWorks code-base.  Currently Log4J is not used by DELMIAWorks explicitly, however it is present in Oracle products.

There are 3 main areas where Log4J is present with DELMIAWorks usage of Oracle:
1.    Oracle Database: Oracle currently lists this as not affected by the vulnerability, and does not need patching
2.    Oracle OHS (Referred to as ‘Apache’ in DELMIAWorks documentation): Oracle currently lists this as not affected by the vulnerability, and does not need patching
3.    SQL Developer: Oracle currently lists this as no impact but highly recommends updating to the latest version (https://www.oracle.com/tools/downloads/sqldev-downloads.html)

DELMIAWorks will continue to monitor Oracle’s updates for any changes to Oracle’s stance on their products and will update this document as any new information becomes available.
CATIA No Magic (R2021x Refresh 1 & 2)

You have action to perform. Please follow procedure by clicking here

You can also find more details in dedicated CATIA No Magic webpage (click here)

For all others Dassault Systèmes Solutions

[updated on Dec, 14th. 10AM Paris time]

 ·         There is no impact identified.

·         The procedures attached to this article must be applied only if you are concerned by one of the solutions above.

·         A few investigations are still on going, Please follow the progress from the Dassault Systèmes article with the links below:

https://r1132100503382-eu1-3dswym.3dexperience.3ds.com/#community:4/post:r4IfD07pTPOTB0pFC47Eew

If you receive an Access Denied error, you can get into the KB from the link below and search for Log4j

https://support.3ds.com/knowledge-base/