Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab run time?

2021 12월 14
2 답변
업데이트 시간: 2021 12월 20
조회 수: 28 (30일)

답변 (2개)

Sebastian
Sebastian 2021년 12월 14일
편집: Sebastian 2021년 12월 20일

1 개 추천

MathWorks has published the following in the Trust Center (version 3 of 2021-12-18):
MathWorks Response to CVE-2021-44228 and CVE-2021-45046 Apache Log4j vulnerabilities
Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
  • CVE-2021-45046: the fix for CVE-2021-44228 was incomplete in certain non-default configurations.
MathWorks Product Security promptly conducted an assessment across the code base for desktop, server and online applications and determined that MathWorks customers do not need to take any action related to MathWorks products and online applications:
MathWorks Desktop and Server Products
None of MathWorks general release desktop or server products include the affected versions of Log4j and so do not contain the CVE-2021-44228 or CVE-2021-45046 logging vulnerabilities.
MathWorks is not aware of any exploitable vulnerabilities in the log4j framework used in any of our general release desktop or server products.
MathWorks general release desktop or server products includes MATLAB, Simulink, Stateflow, MATLAB Production Server, MATLAB Web App Server, MATLAB Parallel Server, MATLAB Online Server, MATLAB Runtime, MathWorks Product Installer, MATLAB Runtime Installer, all Polyspace products, RoadRunner and any toolboxes or blocksets for any of these. In addition, this includes all previous general releases such as R2021b, R2021a, R2020b, R2020a, and so on.
MathWorks Online Applications
All online applications have been patched with officially suggested mitigations. After investigation there was no evidence that the vulnerability had been exploited on any of our systems.
Continuing Activities
MathWorks Product Security will continue to monitor this specific set of issues for their potential impact on our products.
See here for the full document: https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf

댓글 수: 8
이전 댓글 6개 표시 이전 댓글 6개 숨기기

Vinay Srinivas
Vinay Srinivas 2021년 12월 14일
편집: Vinay Srinivas 2021년 12월 14일
Thanks a lot. Is this true for older version of Matlab runtime as well? (9.xx?)
Mark Pereira
Mark Pereira 2021년 12월 15일
Additional question : Is this true for matlab runtime version 90 ?
Yang Qin
Yang Qin 2021년 12월 15일
I would like to find out about this as well, as the Matlab Runtime products have not been included in the safe list above.
Image Analyst
Image Analyst 2021년 12월 15일
We need some clarification, both with the questions, and the answer. When @Vinay Srinivas said "run time" it could potentially mean
  1. The amount of time it takes to run a program (like I initially thought)
  2. A release (installed version on your computer) of MATLAB, or the current version of the MATLAB online server-based software
  3. The MCR (MATLAB Component Runtime) library, or installer of that library. That library is needed if you want to run a standalone executable that someone made by compiling their source code into an executable. (This is a different product than the regular MATLAB.)
Now, the answer says "None of MathWorks general release desktop or server products include the affected versions of Log4j" and that could also be ambiguous. Does that mean
  1. only the current latest releases, or
  2. all releases back to 1984 or whenever?
When they say "determined that MathWorks customers do not need to take any action related to MathWorks products" I'm thinking it's #2 but I think the answer could be more explicit in what releases, especially since Walter is finding lots of mentions of log4j in various folders, files, and installers.
Sebastian
Sebastian 2021년 12월 15일
Yes, the statement above is also true for earlier releases of our products, including the MATLAB Runtime. I verified with the team that it is true for *all* releases. I'll follow-up with the team on Walter's observations.
Eduardo Revuelta
Eduardo Revuelta 2021년 12월 16일
I am curious about this topic. While It may be true that vulnerability CVE-2021-44228 does not affect Matlab products, this CVE was filled describing how it affects log4j 2 versions.
But another CVE has been filled in order to treat how the log4j vulneravility affects versions 1.X.X. (CVE-2021-4104). If MathWorks products are running with these versions, we have not had any answer about whether or not they are vulnerable to the log4j issue.
I am looking for some more detailed clarification if possible.
See: https://logging.apache.org/log4j/2.x/security.html

댓글을 달려면 로그인하십시오.

Image Analyst
Image Analyst 2021년 12월 14일

0 개 추천

I doubt it would have a significant on the run time (in seconds) of your program in MATLAB online (the only version that needed to be patched). I think your program should run just as fast as before. Try it and see.

카테고리

도움말 센터File Exchange에서 Platform and License에 대해 자세히 알아보기

제품

릴리스

R11.1

태그

질문:

Vinay Srinivas
Vinay Srinivas
2021년 12월 14일

편집:

Sebastian
Sebastian
2021년 12월 20일

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by