- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
- CVE-2021-45046: the fix for CVE-2021-44228 was incomplete in certain non-default configurations.
Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab run time?
8 vues (au cours des 30 derniers jours)
Afficher commentaires plus anciens
Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab run time?
0 commentaires
Réponses (2)
Sebastian
le 14 Déc 2021
Modifié(e) : Sebastian
le 20 Déc 2021
MathWorks has published the following in the Trust Center (version 3 of 2021-12-18):
MathWorks Response to CVE-2021-44228 and CVE-2021-45046 Apache Log4j vulnerabilities
Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
MathWorks Product Security promptly conducted an assessment across the code base for desktop, server and online applications and determined that MathWorks customers do not need to take any action related to MathWorks products and online applications:
MathWorks Desktop and Server Products
None of MathWorks general release desktop or server products include the affected versions of Log4j and so do not contain the CVE-2021-44228 or CVE-2021-45046 logging vulnerabilities.
MathWorks is not aware of any exploitable vulnerabilities in the log4j framework used in any of our general release desktop or server products.
MathWorks general release desktop or server products includes MATLAB, Simulink, Stateflow, MATLAB Production Server, MATLAB Web App Server, MATLAB Parallel Server, MATLAB Online Server, MATLAB Runtime, MathWorks Product Installer, MATLAB Runtime Installer, all Polyspace products, RoadRunner and any toolboxes or blocksets for any of these. In addition, this includes all previous general releases such as R2021b, R2021a, R2020b, R2020a, and so on.
All online applications have been patched with officially suggested mitigations. After investigation there was no evidence that the vulnerability had been exploited on any of our systems.
Continuing Activities
MathWorks Product Security will continue to monitor this specific set of issues for their potential impact on our products.
See here for the full document: https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf
8 commentaires
Eduardo Revuelta
le 16 Déc 2021
I am curious about this topic. While It may be true that vulnerability CVE-2021-44228 does not affect Matlab products, this CVE was filled describing how it affects log4j 2 versions.
But another CVE has been filled in order to treat how the log4j vulneravility affects versions 1.X.X. (CVE-2021-4104). If MathWorks products are running with these versions, we have not had any answer about whether or not they are vulnerable to the log4j issue.
I am looking for some more detailed clarification if possible.
See: https://logging.apache.org/log4j/2.x/security.html
Sebastian
le 16 Déc 2021
please refer to this parallel thread and its comments:
Image Analyst
le 14 Déc 2021
I doubt it would have a significant on the run time (in seconds) of your program in MATLAB online (the only version that needed to be patched). I think your program should run just as fast as before. Try it and see.
0 commentaires
Voir également
Catégories
En savoir plus sur Enterprise Deployment with MATLAB Production Server dans Help Center et File Exchange
Community Treasure Hunt
Find the treasures in MATLAB Central and discover how the community can help you!
Start Hunting!