1182

Impact of Log4j Java Security Vulnerability (CVE-2021-44228) on L3Harris Geospatial software

The following table indicates the impact of the Log4j Java Security Vulnerability (CVE-2021-44228 a) on Harris Geospatial Solutions, Inc. b (HGSI) software and services, based on our analysis or from statements provided by third party developers of distributed software.

Table: Impact of Log4j security vulnerability (CVE-2021-44228) on HGSI products and services.
HGSI Product or Service Status
Helios Patched
ENVI/IDL c Not affected
ENVI Photogrammetry Not affected
FlexNet Embedded Local License Server d Not affected
Jagwire Investigating
Stern Not affected
GSF Not affected
(Tech Preview) License Server 3.0 Not affected

 

Notes:

Reference pages with details about the Log4j security vulnerability:

Harris Geospatial Solutions, Inc. is a wholly owned subsidiary of L3Harris Technologies, Inc.

We have determined that IDL 8.8.1, and ENVI 5.6 SP1 (as well as older versions back to IDL 8.5 and ENVI 5.3) are not affected by the CVE-2021-44228 Log4j 2 security vulnerability.

   The "ant" Log4j-related file (included with IDL 8.5, ENVI 5.3 to IDL 8.8.1, and ENVI 5.6 SP1), which is a wrapper that does not contain the actual Log4j package, is not impacted by CVE-2021-4104 or CVE-2021-44228.

   We have also determined that the JNDI-based exploit (security vulnerability CVE-2021-4104) does not apply to IDL 8.8(.0) and ENVI 5.6(.0) with Log4j version 1. We recommend that you upgrade to IDL 8.8.1 and ENVI 5.6 SP1 if you have concerns about Log4j 1.x.

The HGSI distributions of the FlexNet Embedded Local License Server, versions 2020.07.0, 2017.08.0 and 2016.03.0, are unaffected by the Log4j 2 CVE-2021-44228, and related CVE-2021-45105 and CVE-2021-45046, security vulnerabilities.

   Also, although Log4j 1 is included with our license server, we have determined that our distributions and standard configuration of the license server is unaffected by Log4j 1 security vulnerability issue CVE-2021-4104. 

   (Note that users who have independently implemented the Tomcat-based FlexNet License Server Manager (FLSM) web UI to manage the HGSI FlexNet Embedded License Server (FNLS) should remove this Tomcat / FLSM configuration -- which may expose the Log4j vulnerabilities in FNLS. The FlexNet License Server Manager UI is not documented or supported by HGSI.)


(Article last updated January 7, 2022)

 

Written by JU 12/14/2021, reviewed  by BC

Please login or register to post comments.