Is the IDE affected by the Log4j security vulnerability (December 2021, CVE-2021-44228, Log4Shell)

Info on Log4J security vulnerabilty

According to Wikipedia (https://en.wikipedia.org/wiki/Log4j#Log4Shell_vulnerability): A zero-day vulnerability involving remote code execution in Log4j 2, given the descriptor "Log4Shell" ( CVE -2021-44228), was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021. ..

Is logi.CAD 3 (= the IDE) affected by this security vulnerability?

Yes, but only if you are using a version before V2.0.0 for logi.CAD 3 (= the IDE) that also contains the test framework. Observe: The test framework is not provided in all variants of logi.CAD 3

This is how you can check whether both conditions apply to your used logi.CAD 3 version/variant:

  1. In logi.CAD 3, open the Help menu and select the command About logi.CAD 3. Check which version number is displayed in the dialog.

  2. In logi.CAD 3, open a project with at least one POU that meets the requirements listed under "Preparing an existing project for tests". Check whether you are able to create a test suite for this POU. If yes, the logi.CAD 3 variant contains the test framework.

If you are using a logi.CAD 3 version 1.126.0 (or a previous version) and this version contains the test framework, this version/variant of logi.CAD 3 affected by the Log4j security vulnerability according to https://logging.apache.org/log4j/2.x/security.html. Reason: The test framework in these versions is based on Java and uses a vulnerable version of the Log4j component.

Recommended procedure: Install the current logi.CAD 3 version.
However, if you need or want to continue using a logi.CAD 3 version that is affected in principle, you can close the Log4j security vulnerability by deleting the class JndiLookup for the test framework and the workspace as follows:

  1. In the explorer of the operating system explorer: Change to the installation folder of logi.CAD 3. Then change into the subfolder \plugins\com.logicals.lc3.testframework.core_x.y.z\bin\ (x.y.z .z corresponds to the version number of logi.CAD 3).

  2. Locate the file com.logicals.lc3.testframework.robot.keywords.jar in this folder.

  3. Open this file using "7-zip".
    images/s/b2ic8e/9012/1ca6q62/_/images/icons/emoticons/information.svg Use a file archiver tool that processes nested packages correctly . Example: the free file archiver "7-zip" – download is possible under: http://7-zip.org/ If you use a different file archiver tool , proceed analogously to the next steps.

  4. In the file, change to: org\apache\logging\log4j\core\lookup\

  5. Delete the file JndiLookup.class.
    Result: The potential weak spot for attacks is now removed. You are still able to use the test framework without any restrictions.

  6. If you want to use an existing workspace for the logi.CAD 3version, you must also delete the file JndiLookup.class from the jar file that exists for the workspace.
    The relevant jar file can be found under the subfolder .metadata\.plugins\com.logicals.lc3.testframework.core\ of the workspace.

Good to know

images/s/b2ic8e/9012/1ca6q62/_/images/icons/emoticons/lightbulb.svg As of version 2.0.0 of logi.CAD 3, the test framework is based on Python, and is therefore no longer vulnerable.

images/s/b2ic8e/9012/1ca6q62/_/images/icons/emoticons/lightbulb.svg If you want to check yourself which version of the Log4j component is used in the current logi.CAD 3 version, proceed as follows:

  1. In logi.CAD 3, open the menu Help.

  2. Select the command About logi.CAD 3 and click Installation details.

  3. In the dialog, change to the tab Plug-ins and enter the term log4j in the search field.
    Result: The list shows the plugin Apache Jakarta log4j with a system version. Example of a specified system version: 1.2.15.v201012070815
    images/s/b2ic8e/9012/1ca6q62/_/images/icons/emoticons/information.svg The versions of Log4j affected by the security vulnerability are versions 2.0-beta9 up to and including 2.14.1, the versions 1.2.15 , 1.2.19 and 2.15 of Log4j are not affected. So if, for example, the system version 1.2.19.v20220208-1728 is displayed for the plugin, the version of logi.CAD 3 is not affected by the security vulnerability.

images/s/b2ic8e/9012/1ca6q62/_/images/icons/emoticons/information.svg logi.cals recommends to install and use the most current versions of logi.CAD 3 and the runtime system so that the latest features and problem fixes according to the release notes are provided in the used version.

Did this article help you? Did you find the requested information in this user documentation?
If not, contact the support team of logi.cals. State your questions or suggestions to improve/enhance the user documentation as detailed as possible.