Summary
Appeon is aware of the recently disclosed security vulnerability CVE-2021-44228 relating to the Apache Log4j Java logging framework. The vulnerability makes some protocols unsafe and can allow remote code execution.
Appeon has promptly launched an investigation. This Security Bulletin summarizes the results of our investigation to date and our recommendations for PowerBuilder customers.
PowerBuilder versions affected?
Appeon PowerBuilder 2017 - 2021 are affected, regardless of product edition.
Appeon does not investigate or provide security fixes for EOL versions. If you are using PowerBuilder 12.6 or older, you also may be affected.
Appeon’s investigation results?
The PowerBuilder installation folder contains version 1.2.8 of Log4j, which is NOT listed as an affected version in CVE-2021-44228 but may contain other security vulnerabilities. The WEB-INF\lib folder contains “log4j-1.2.8.jar” file, and the WEB-INF\classes folder contains the “log4j.properties” file.
Appeon has kept such outdated version of Log4j in the PowerBuilder installation in case customers are using obsolete Java features that rely on it.
What should you do?
If you have installed PowerBuilder 2017 – 2019 R2, immediately delete the following two files in the PowerBuilder installation directory:
- The “log4j-1.2.8.jar” file in the Appeon\Shared\PowerBuilder\WEB-INF\lib folder
- The “log4j.properties” file in the Appeon\Shared\PowerBuilder\WEB-INF\classes folder
If you have installed PowerBuilder 2019 R3 – 2021, immediately delete the following two files in the PowerBuilder installation directory:
- The “log4j-1.2.8.jar” file in the Appeon\PowerBuilder ##.0\IDE\WEB-INF\lib folder
- The “log4j.properties” file in the Appeon\PowerBuilder ##.0\IDE\WEB-INF\Classes folder
Then follow your company's security policies and procedures to ensure your IT systems have not been compromised.
If you are using obsolete PowerBuilder features that require Log4j, then you should migrate off those features as soon as possible.
What Appeon will do?
Obsolete features do not receive fixes/updates of any kind. So Appeon will not be updating Log4j to a newer version. Instead, Appeon plans to remove the two files, “log4j-1.2.8.jar” and “log4j.properties”, in all the subsequent PowerBuilder releases (major releases, revisions, and MRs).
Questions?
If any questions regarding this security bulletin, please open a support ticket on the Appeon Website: /standardsupport/newbug.
Last updated: December 24, 2021