Is the IDE affected by the Log4j security vulnerability (December 2021, CVE-2021-44228, Log4Shell)
| Info on Log4J security vulnerabilty |
|---|
|
According to Wikipedia (https://en.wikipedia.org/wiki/Log4j#Log4Shell_vulnerability): A zero-day vulnerability involving remote code execution in Log4j 2, given the descriptor "Log4Shell" (CVE-2021-44228), was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021... |
Is Neuron Power Engineer (= the IDE) affected by this security vulnerability?
Yes, but only if you are using a version before V2.0.0 for Neuron Power Engineer (= the IDE) that also contains the test framework. Observe: The test framework is not provided in all variants of Neuron Power Engineer
This is how you can check whether both conditions apply to your used Neuron Power Engineer version/variant:
-
In Neuron Power Engineer, open the Help menu and select the command About Neuron Power Engineer. Check which version number is displayed in the dialog.
-
In Neuron Power Engineer, open a project with at least one POU that meets the requirements listed under "Preparing an existing project for tests". Check whether you are able to create a test suite for this POU. If yes, the Neuron Power Engineer variant contains the test framework.
If you are using a Neuron Power Engineer version 1.126.0 (or a previous version) and this version contains the test framework, this version/variant of Neuron Power Engineer affected by the Log4j security vulnerability according to https://logging.apache.org/log4j/2.x/security.html. Reason: The test framework in these versions is based on Java and uses a vulnerable version of the Log4j component.
Recommended procedure: Install the current Neuron Power Engineer version.
However, if you need or want to continue using a Neuron Power Engineer version that is affected in principle, you can close the Log4j security vulnerability by deleting the class JndiLookup for the test framework and the workspace as follows:
-
In the explorer of the operating system explorer: Change to the installation folder of Neuron Power Engineer. Then change into the subfolder
\plugins\com.logicals.lc3.testframework.core_x.y.z\bin\(x.y.z.z corresponds to the version number of Neuron Power Engineer). -
Locate the file
com.logicals.lc3.testframework.robot.keywords.jarin this folder. -
Open this file using "7-zip".
Use a file archiver tool that processes nested packages correctly. Example: the free file archiver "7-zip" – download is possible under: http://7-zip.org/Note: An installation path that is too long can cause problems (see "An installation path too long prevents the building/loading of the application"). To keep the installation path as short as possible, it is recommended that you deselect any options/settings that cause the installation path to be too long when extracting the package.
If you use a different file archiver tool, proceed analogously to the next steps. -
In the file, change to:
org\apache\logging\log4j\core\lookup\ -
Delete the file
JndiLookup.class.
Result: The potential weak spot for attacks is now removed. You are still able to use the test framework without any restrictions. -
If you want to use an existing workspace for the Neuron Power Engineerversion, you must also delete the file
JndiLookup.classfrom the jar file that exists for the workspace.
The relevant jar file can be found under the subfolder.metadata\.plugins\com.logicals.lc3.testframework.core\of the workspace.
| Good to know |
|---|
|
|
As of version 2.0.0 of