X

Help Articles are product support tips and information straight from the NV5 Geospatial Technical Support team developed to help you use our products to their fullest potential.


5189 Rate this article:
No rating

Impact of Log4j Java Security Vulnerability (CVE-2021-44228) on L3Harris Geospatial software

The following table indicates the impact of the Log4j Java Security Vulnerability (CVE-2021-44228 a) on Harris Geospatial Solutions, Inc. b (HGSI) software and services, based on our analysis or from statements provided by third party developers of distributed software.

Table: Impact of Log4j security vulnerability (CVE-2021-44228) on HGSI products and services.
HGSI Product or Service Status
Helios Patched
ENVI/IDL c Not affected
ENVI Photogrammetry Not affected
FlexNet Embedded Local License Server d Not affected
Jagwire Investigating
Stern Not affected
GSF Not affected
(Tech Preview) License Server 3.0 Not affected

 

Notes:

Reference pages with details about the Log4j security vulnerability:

Harris Geospatial Solutions, Inc. is a wholly owned subsidiary of L3Harris Technologies, Inc.

We have determined that IDL 8.8.1, and ENVI 5.6.1 and higher (as well as older versions back to IDL 8.5 and ENVI 5.3) are not affected by the CVE-2021-44228 Log4j 2 security vulnerability.

   The "ant" Log4j-related file (included with IDL 8.5, ENVI 5.3 to IDL 8.8.1, ENVI 5.6.1 and later), which is a wrapper that does not contain the actual Log4j package, is not impacted by CVE-2021-4104 or CVE-2021-44228.

   We have also determined that the JNDI-based exploit (security vulnerability CVE-2021-4104) does not apply to IDL 8.8(.0) and ENVI 5.6(.0) with Log4j version 1. We recommend that you upgrade to IDL 8.8.1 and ENVI 5.6 SP1 if you have concerns about Log4j 1.x.

The HGSI distributions of the FlexNet Embedded Local License Server, versions 2020.07.0, 2017.08.0 and 2016.03.0, are unaffected by the Log4j 2 CVE-2021-44228, and related CVE-2021-45105 and CVE-2021-45046, security vulnerabilities.

   Also, although Log4j 1 is included with our FlexNet Embedded license server distribution, we have determined that these distributions and our standard configuration of the license server is unaffected by Log4j 1 security vulnerability issue CVE-2021-4104. 

   (Note that users who have independently implemented the Tomcat-based FlexNet License Server Manager (FLSM) web UI to manage the HGSI FlexNet Embedded License Server (FNLS) should remove this Tomcat / FLSM configuration -- which may expose the Log4j vulnerabilities in FNLS. The FlexNet License Server Manager UI is not documented or supported by HGSI.)


(Article last updated May 23, 2022)

 

Written by JU 12/14/2021, reviewed  by BC

Please login or register to post comments.
How to exclude/ignore specific values when computing MEAN_FILTER in IDL? ENVI Deep Learning 1.2 Release Notes
Featured

End-of-Life Policy Enforcement for ENVI 5.3 / IDL 8.5 and Earlier Versions

5/6/2024

April 1, 2024 Dear ENVI/IDL Customer,  We are reaching out to notify you of our supported... more »

How to Upgrade licenses to ENVI 6.x / IDL 9.x

12/5/2023

What is the new Upgrade function? Starting with ENVI 6.0 and IDL 9.0, we have implemented an... more »

What to do if the 'License Administrator - License Server' for the Next-Generation License Server does not start?

6/13/2023

Background: With the release of ENVI 5.7 & IDL 8.9 and the corresponding Next-Generation licensing... more »

Next-Generation Licensing FAQ

4/28/2023

  NV5 Geospatial has adopted a new licensing technology for all future releases of our ENVI, IDL... more »

The IDL Virtual Machine

6/6/2013

What is the IDL Virtual Machine? An IDL Virtual Machine is a runtime version of IDL that can... more »