Skip to main content

Thermo-Calc Response to Apache Log4j 2 Vulnerability

First Published: December 15, 2021  |  Last Updated: January 19, 2022 15:50 CET

Summary

Thermo-Calc Software is aware of the so-called Log4Shell vulnerability in the Apache Log4j Java logging library that was disclosed on December 9, 2021. We have investigated our products, including Thermo-Calc, the Add-on Modules, SDKs, Property Models, and databases.

None of our products use the Log4j 2 versions affected by the Log4Shell bug.

However, in the wake of Log4Shell, there are strong recommendations to update Log4j to the most recent version. Therefore an update for Thermo-Calc 2022a was released on January 18, 2022 and another on January 19, 2022.

What You Should Do

  • Users of 2022a:
    • Use the program as normal
      • Install the 2022a update | Learn about the update
      • Users of 2021b:
        • Use the program as normal
        • Users of 2018b to 2021a:
          • Use the program as normal
            • Delete the Log4j 2 files in the program installation if required by your company using the instructions below
            • Users of 2018a and earlier:
              • Use the program as normal

What We Concluded

  • Thermo-Calc has never used the Log4j 2 versions affected by the Log4Shell bug. Some versions of the software include these files, but they were never used and therefore do not cause a vulnerability.
  • All versions of Thermo-Calc since 3.0 (the first version with Java) use Log4j 1. This version is not prone to this vulnerability, but due to recommendations, we have updated the most recent version of Thermo-Calc to the most recent version of Log4j. Read about the update.
  • In some versions of Thermo-Calc, Log4j 2 is listed as one of the third-party products included in our software. This is inaccurate, as Log4j 1 is used.
  • Thermo-Calc is using Thales Sentinel RMS for license enforcement. The Sentinel RMS libraries and Sentinel license manager are not using Java and Log4j and are therefore not vulnerable.

What We are Doing

  • We investigated all versions of our software back to 3.0 (released 2013), the first version of Thermo-Calc to use Java and Log4j – and the earlier versions not written in Java. This includes all items shipped with the installation, such as Add-On Modules, SDKs, databases, Property Models, and example files.
  • In the wake of Log4Shell, there are strong recommendations to update the Log4j version that we are using, even though it is not affected by this vulnerability. Therefore we released an update to Thermo-Calc 2022a that uses the latest version of Log4j. Read about the update.
  • We emailed users on January 18, 2022 to inform them that an update is available and on January 19, 2022 to inform them of an additional update. The update is available from within the software.
  • We will not issue updates for older versions as there are no security risks associated with this vulnerability, but users can delete the unused Log4j files using the instructions below.

Technical Details

  • We investigated the following vulnerabilities: Remote Code Execution CVE-2021-44228 and CVE-2021-45046.
  • Log4Shell is mainly impacting web applications, but Thermo-Calc is a Java desktop application that uses network sockets for internal communication.
  • We have distributed Log4j 2 versions in some releases (listed below) alongside Log4j 1, but these were never used and therefore do not pose a security threat. This is the reason Log4j 2 is listed as a dependency in Help | About. 
  • The Log4j 2 files can be safely deleted. We provide a small tool to help with that, which is included below.

How to Delete Log4j 2 Files

The following versions of Thermo-Calc include Log4j 2 files. They were installed alongside Logj 1 files, but are not used in the software and therefore do not pose a security threat. They can be deleted without causing any problem to the installation, but do not need to be deleted. 

There is a small tool available to assist you in deleting all of these files. It can be downloaded by clicking the link below. Once you download the files, use the tool corresponding to your OS: 

Download the Log4j 2 deletion tool

Versions Containing Log4j 2:

  • 2018b
  • 2019a
  • 2019b
  • 2020a
  • 2020b
  • 2021a

List of Files

There are two types of Log4j 2 files, as explained below:

  1. Log4j 2 files are located in the installation directory of Thermo-Calc:
Version Files
2018b ./2018b/log4j-api-2.11.0.jar
./2018b/log4j-core-2.11.0.jar
2019a ./2019a/log4j-api-2.11.0.jar
./2019a/log4j-api-2.11.1.jar
./2019a/log4j-core-2.11.1.jar
2019b ./2019b/log4j-api-2.11.2.jar
./2019b/log4j-core-2.11.2.jar
or
./2019b/log4j-api-2.12.1.jar
./2019b/log4j-core-2.12.1.jar
2020a ./2020a/log4j-api-2.12.1.jar
./2020a/log4j-core-2.12.1.jar
2020b ./2020b/log4j-api-2.12.1.jar
./2020b/log4j-core-2.12.1.jar
2021a ./2021a/log4j-api-2.12.1.jar
./2021a/log4j-core-2.12.1.jar

2. Additional files are embedded into a number of jar-files. These files can be deleted by most users without breaking the program. If you are using the database checker, database editor (up to version 2020a), or the IDE database plugin (from version 2020b, tdb language server), please contact  support to get replacement files that do not contain Log4j 2:

Version Files
2018b 2018b\databasechecker-2018.2.14770.jar
2018b\databaseeditor-2018.2.14770.jar
2019a 2019a\databasechecker-2019.1.17915-146.jar
2019a\databaseeditor-2019.1.17915-146.jar
2019b 2019b\databasechecker-2019.2.20279-192.jar
2019b\databaseeditor-2019.2.20279-192.jar
Or
2019b\databasechecker-2019.2.20556-200.jar
2019b\databaseeditor-2019.2.20556-200.jar
2020a 2020a\databasechecker-2020.1.21096-74.jar
2020a\databaseeditor-2020.1.21096-74.jar
2020b 2020b\databasechecker-2020.2.22336-34.jar
2020b\tdb-language-server-2020.2.22336-34.jar
2021a 2021a\databasechecker-2021.1.23387-95.jar
2021a\tdb-language-server-2021.1.23387-95.jar

Let Us Help You

Is Thermo-Calc Right for You?

Talk to one of our experts to learn whether our tools fit your needs.