Apache Log4j Critical Vulnerability (CVE-2021-44228) in the context of Symetri Sovelia PLM application

December 9, 2021, the Apache Software Foundation released Log4j 2.15.0 to resolve a critical remote code execution vulnerability (CVE-2021-44228) affecting versions 2.0-beta9 through 2.14.1. Apache Log4j is commonly used Java logging library with Apache Tomcat web applications.  

Vulnerability details can be found from:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 

Sovelia Security Advisory 

Sovelia PLM server 

SOVELIA PLM server is not affected as it does not utilize Log4j.  The Log4j library is not deployed by default with the out of the box Apache Tomcat installation that Symetri uses.

ActionServer - Batch processing component 

Batch processing component called ActionServer is sometimes used as a supplementary service connected to Sovelia PLM server. 

ActionServer is using Log4j. However, the used library version does not include the vulnerability mentioned above.  


Other Symetri technology components around Sovelia PLM 

Symetri has not identified any other SOVELIA PLM components affected by Log4j vulnerability. 


Symetri recommendation  

Even though current versions of Sovelia PLM products are not affected by this vulnerability, Symetri always recommends its customers to keep their software up to date.  

Sovelia PLM release 19.0 - Released in early 2019 – and older release of Sovelia PLM might include old version of Log4j library files. As Log4j is not used at all by Sovelia PLM server these files can be safely removed.

All releases newer than 19.0 of Sovelia PLM does not include any version of the Log4j library files.

The latest Sovelia PLM release available is 21.1.2, released on 23th Nov 2021.

If you have any questions or concerns, please contact your local account manager or the Sovelia team info@sovelia.com.