Impact of Log4j Java Security Vulnerability (CVE-2021-44228) on L3Harris Geospatial software

The following table indicates the impact of the Log4j Java Security Vulnerability (CVE-2021-44228 ^a) on Harris Geospatial Solutions, Inc. ^b (HGSI) software and services, based on our analysis or from statements provided by third party developers of distributed software.

*Table: Impact of Log4j security vulnerability (CVE-2021-44228) on HGSI products and services.*
HGSI Product or Service	Status
Helios	Patched
ENVI/IDL ^c	Not affected
ENVI Photogrammetry	Not affected
FlexNet Embedded Local License Server ^d	Not affected
Jagwire	Investigating
Stern	Not affected
GSF	Not affected
(Tech Preview) License Server 3.0	Not affected

Notes:

^aReference pages with details about the Log4j security vulnerability:

NIST National Vulnerability Database - CVE-2021-44228 Detail: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
CVE-2021-44228 Detail: https://www.cve.org/CVERecord?id=CVE-2021-44228
Apache Log4j Security Vulnerabilities: https://logging.apache.org/log4j/2.x/security.html

^bHarris Geospatial Solutions, Inc. is a wholly owned subsidiary of L3Harris Technologies, Inc.

^cWe have determined that IDL 8.8.1, and ENVI 5.6.1 and higher (as well as older versions back to IDL 8.5 and ENVI 5.3) are not affected by the CVE-2021-44228 Log4j 2 security vulnerability.

The "ant" Log4j-related file (included with IDL 8.5, ENVI 5.3 to IDL 8.8.1, ENVI 5.6.1 and later), which is a wrapper that does not contain the actual Log4j package, is not impacted by CVE-2021-4104 or CVE-2021-44228.

We have also determined that the JNDI-based exploit (security vulnerability CVE-2021-4104) does not apply to IDL 8.8(.0) and ENVI 5.6(.0) with Log4j version 1. We recommend that you upgrade to IDL 8.8.1 and ENVI 5.6 SP1 if you have concerns about Log4j 1.x.

^dThe HGSI distributions of the FlexNet Embedded Local License Server, versions 2020.07.0, 2017.08.0 and 2016.03.0, are unaffected by the Log4j 2 CVE-2021-44228, and related CVE-2021-45105 and CVE-2021-45046, security vulnerabilities.

Also, although Log4j 1 is included with our FlexNet Embedded license server distribution, we have determined that these distributions and our standard configuration of the license server is unaffected by Log4j 1 security vulnerability issue CVE-2021-4104.

(Note that users who have independently implemented the Tomcat-based FlexNet License Server Manager (FLSM) web UI to manage the HGSI FlexNet Embedded License Server (FNLS) should remove this Tomcat / FLSM configuration -- which may expose the Log4j vulnerabilities in FNLS. The FlexNet License Server Manager UI is not documented or supported by HGSI.)

(Article last updated May 23, 2022)

Written by JU 12/14/2021, reviewed by BC

How to exclude/ignore specific values when computing MEAN_FILTER in IDL?

Remote Sensing for the Enterprise – How Agricolus leverages ENVI to build an operative, innovative Precision Farming Platform