Join 30k+ developers that stay on top of the latest low code insights!
insights and reports
Design powerful enterprise applications. Build your vision without restriction.
Build logic. Power your enterprise application with data and intelligence.
Connect and integrate with total freedom. Any database, system, or hardware.
Application deployment just got a whole lot better. Deploy powerful applications. Anywhere.
Monitor, analyze, and take action. Manage your applications. Gain a total overview.
December 29, 2021
3 minutes read
This vulnerability notification has been updated on December 29 2021 to include a 4th issue affecting Apache Log4J. Please read below for new remediation strategies.
Servoy servers make use of Apache Log4j, a widely used Java logging library. Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability which when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The original vulnerability found is regarded as “critical”: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
The second/related vulnerability is regarded as “critical”: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
The third vulnerability is regarded as “high”: https://nvd.nist.gov/vuln/detail/CVE-2021-45105
The fourth vulnerability is regarded as “unknown”: https://nvd.nist.gov/vuln/detail/CVE-2021-44832
Servoy is closely monitoring this vulnerability and has already applied patches for the following releases by providing log4j 2.17.1.
These patches may be obtained from our build server starting December 30 2021.
As of December 30, ServoyCloud production instances will be automatically secured against this threat, pending a rebuild. Servoy cloud pipeline customers can also begin building with the patched versions. The patches are applied at build-time, so EVERY version will be auto-patched if built in the ServoyCloud Pipeline.
NOTE: The previous remediation strategy, of applying a Java Runtime Argument ( -Dlog4j2.formatMsgNoLookups=true ) is rendered incomplete by the introduction of the second vulnerability.
To remediate the vulnerability, it is recommended that you replace the log4j jar dependencies in your deployed applications with the latest patch from Apache.
Unzip the distribution and copy/extract the following jars into a directory
While Servoy Developer itself is not vulnerable. The log4j dependencies will be exported when generating .war files from the IDE.
Servoy Application Server from legacy versions can be installed as a stand-alone Tomcat container with applications deployed via .servoy export files only (non-war deployment). If you still deploy your applications via .servoy exports, please follow the above instructions for Updating Servoy Developer on your server installation. Be sure to STOP tomcat before replacing the jars.
* Look into our Servoy Cloud offering, where security issues are continuously monitored by bots & experts and resolved for you as soon as they arise. Automatically. Contact your Servoy Sales rep for details on how to obtain a hassle free Servoy deployment.
insights and reports