This vulnerability notification has been updated on December 29 2021 to include a 4th issue affecting Apache Log4J. Please read below for new remediation strategies.
Servoy servers make use of Apache Log4j, a widely used Java logging library. Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability which when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The original vulnerability found is regarded as “critical”:
The second/related vulnerability is regarded as “critical”:
The third vulnerability is regarded as “high”:
The fourth vulnerability is regarded as “unknown”:
These patches may be obtained from our build server starting December 30 2021.
As of December 30, ServoyCloud production instances will be automatically secured against this threat, pending a rebuild. Servoy cloud pipeline customers can also begin building with the patched versions. The patches are applied at build-time, so EVERY version will be auto-patched if built in the ServoyCloud Pipeline.
NOTE: The previous remediation strategy, of applying a Java Runtime Argument ( -Dlog4j2.formatMsgNoLookups=true ) is rendered incomplete by the introduction of the second vulnerability.
To remediate the vulnerability, it is recommended that you replace the log4j jar dependencies in your deployed applications with the latest patch from Apache.
Unzip the distribution and copy/extract the following jars into a directory
While Servoy Developer itself is not vulnerable. The log4j dependencies will be exported when generating .war files from the IDE.
Servoy Application Server from legacy versions can be installed as a stand-alone Tomcat container with applications deployed via .servoy export files only (non-war deployment). If you still deploy your applications via .servoy exports, please follow the above instructions for Updating Servoy Developer on your server installation. Be sure to STOP tomcat before replacing the jars.
* Look into our Servoy Cloud offering, where security issues are continuously monitored by bots & experts and resolved for you as soon as they arise. Automatically. Contact your Servoy Sales rep for details on how to obtain a hassle free Servoy deployment.