Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab run time?

8 visualizaciones (últimos 30 días)
Apache Log4j Vulnerability CVE-2021-44228 - How does it affect Matlab run time?

Respuestas (2)

Sebastian
Sebastian el 14 de Dic. de 2021
Editada: Sebastian el 20 de Dic. de 2021
MathWorks has published the following in the Trust Center (version 3 of 2021-12-18):
MathWorks Response to CVE-2021-44228 and CVE-2021-45046 Apache Log4j vulnerabilities
Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
  • CVE-2021-45046: the fix for CVE-2021-44228 was incomplete in certain non-default configurations.
MathWorks Product Security promptly conducted an assessment across the code base for desktop, server and online applications and determined that MathWorks customers do not need to take any action related to MathWorks products and online applications:
MathWorks Desktop and Server Products
None of MathWorks general release desktop or server products include the affected versions of Log4j and so do not contain the CVE-2021-44228 or CVE-2021-45046 logging vulnerabilities.
MathWorks is not aware of any exploitable vulnerabilities in the log4j framework used in any of our general release desktop or server products.
MathWorks general release desktop or server products includes MATLAB, Simulink, Stateflow, MATLAB Production Server, MATLAB Web App Server, MATLAB Parallel Server, MATLAB Online Server, MATLAB Runtime, MathWorks Product Installer, MATLAB Runtime Installer, all Polyspace products, RoadRunner and any toolboxes or blocksets for any of these. In addition, this includes all previous general releases such as R2021b, R2021a, R2020b, R2020a, and so on.
All online applications have been patched with officially suggested mitigations. After investigation there was no evidence that the vulnerability had been exploited on any of our systems.
Continuing Activities
MathWorks Product Security will continue to monitor this specific set of issues for their potential impact on our products.
  8 comentarios
Eduardo Revuelta
Eduardo Revuelta el 16 de Dic. de 2021
I am curious about this topic. While It may be true that vulnerability CVE-2021-44228 does not affect Matlab products, this CVE was filled describing how it affects log4j 2 versions.
But another CVE has been filled in order to treat how the log4j vulneravility affects versions 1.X.X. (CVE-2021-4104). If MathWorks products are running with these versions, we have not had any answer about whether or not they are vulnerable to the log4j issue.
I am looking for some more detailed clarification if possible.
See: https://logging.apache.org/log4j/2.x/security.html

Iniciar sesión para comentar.


Image Analyst
Image Analyst el 14 de Dic. de 2021
I doubt it would have a significant on the run time (in seconds) of your program in MATLAB online (the only version that needed to be patched). I think your program should run just as fast as before. Try it and see.

Categorías

Más información sobre Enterprise Deployment with MATLAB Production Server en Help Center y File Exchange.

Etiquetas

Productos


Versión

R11.1

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by