Thermo-Calc Response to Apache Log4j 2 Vulnerability

First Published: December 15, 2021 | Last Updated: January 19, 2022 15:50 CET

Summary

Thermo-Calc Software is aware of the so-called Log4Shell vulnerability in the Apache Log4j Java logging library that was disclosed on December 9, 2021. We have investigated our products, including Thermo-Calc, the Add-on Modules, SDKs, Property Models, and databases.

None of our products use the Log4j 2 versions affected by the Log4Shell bug.

However, in the wake of Log4Shell, there are strong recommendations to update Log4j to the most recent version. Therefore an update for Thermo-Calc 2022a was released on January 18, 2022 and another on January 19, 2022.

Read about the Update

What You Should Do

Users of 2022a:

Use the program as normal

Install the 2022a update | Learn about the update
Users of 2021b:

Use the program as normal
Users of 2018b to 2021a:

Use the program as normal

Delete the Log4j 2 files in the program installation if required by your company using the instructions below
Users of 2018a and earlier:

Use the program as normal

What We Concluded

Thermo-Calc has never used the Log4j 2 versions affected by the Log4Shell bug. Some versions of the software include these files, but they were never used and therefore do not cause a vulnerability.
All versions of Thermo-Calc since 3.0 (the first version with Java) use Log4j 1. This version is not prone to this vulnerability, but due to recommendations, we have updated the most recent version of Thermo-Calc to the most recent version of Log4j. Read about the update.
In some versions of Thermo-Calc, Log4j 2 is listed as one of the third-party products included in our software. This is inaccurate, as Log4j 1 is used.
Thermo-Calc is using Thales Sentinel RMS for license enforcement. The Sentinel RMS libraries and Sentinel license manager are not using Java and Log4j and are therefore not vulnerable.

What We are Doing

We investigated all versions of our software back to 3.0 (released 2013), the first version of Thermo-Calc to use Java and Log4j – and the earlier versions not written in Java. This includes all items shipped with the installation, such as Add-On Modules, SDKs, databases, Property Models, and example files.
In the wake of Log4Shell, there are strong recommendations to update the Log4j version that we are using, even though it is not affected by this vulnerability. Therefore we released an update to Thermo-Calc 2022a that uses the latest version of Log4j. Read about the update.
We emailed users on January 18, 2022 to inform them that an update is available and on January 19, 2022 to inform them of an additional update. The update is available from within the software.
We will not issue updates for older versions as there are no security risks associated with this vulnerability, but users can delete the unused Log4j files using the instructions below.

Technical Details

We investigated the following vulnerabilities: Remote Code Execution CVE-2021-44228 and CVE-2021-45046.
Log4Shell is mainly impacting web applications, but Thermo-Calc is a Java desktop application that uses network sockets for internal communication.
We have distributed Log4j 2 versions in some releases (listed below) alongside Log4j 1, but these were never used and therefore do not pose a security threat. This is the reason Log4j 2 is listed as a dependency in Help | About.
The Log4j 2 files can be safely deleted. We provide a small tool to help with that, which is included below.

How to Delete Log4j 2 Files

The following versions of Thermo-Calc include Log4j 2 files. They were installed alongside Logj 1 files, but are not used in the software and therefore do not pose a security threat. They can be deleted without causing any problem to the installation, but do not need to be deleted.

There is a small tool available to assist you in deleting all of these files. It can be downloaded by clicking the link below. Once you download the files, use the tool corresponding to your OS:

Download the Log4j 2 deletion tool

Versions Containing Log4j 2:

2018b
2019a
2019b
2020a
2020b
2021a

List of Files

There are two types of Log4j 2 files, as explained below:

Log4j 2 files are located in the installation directory of Thermo-Calc:

Version	Files
2018b	./2018b/log4j-api-2.11.0.jar ./2018b/log4j-core-2.11.0.jar
2019a	./2019a/log4j-api-2.11.0.jar ./2019a/log4j-api-2.11.1.jar ./2019a/log4j-core-2.11.1.jar
2019b	./2019b/log4j-api-2.11.2.jar ./2019b/log4j-core-2.11.2.jar or ./2019b/log4j-api-2.12.1.jar ./2019b/log4j-core-2.12.1.jar
2020a	./2020a/log4j-api-2.12.1.jar ./2020a/log4j-core-2.12.1.jar
2020b	./2020b/log4j-api-2.12.1.jar ./2020b/log4j-core-2.12.1.jar
2021a	./2021a/log4j-api-2.12.1.jar ./2021a/log4j-core-2.12.1.jar

2. Additional files are embedded into a number of jar-files. These files can be deleted by most users without breaking the program. If you are using the database checker, database editor (up to version 2020a), or the IDE database plugin (from version 2020b, tdb language server), please contact support to get replacement files that do not contain Log4j 2:

Version	Files
2018b	2018b\databasechecker-2018.2.14770.jar 2018b\databaseeditor-2018.2.14770.jar
2019a	2019a\databasechecker-2019.1.17915-146.jar 2019a\databaseeditor-2019.1.17915-146.jar
2019b	2019b\databasechecker-2019.2.20279-192.jar 2019b\databaseeditor-2019.2.20279-192.jar Or 2019b\databasechecker-2019.2.20556-200.jar 2019b\databaseeditor-2019.2.20556-200.jar
2020a	2020a\databasechecker-2020.1.21096-74.jar 2020a\databaseeditor-2020.1.21096-74.jar
2020b	2020b\databasechecker-2020.2.22336-34.jar 2020b\tdb-language-server-2020.2.22336-34.jar
2021a	2021a\databasechecker-2021.1.23387-95.jar 2021a\tdb-language-server-2021.1.23387-95.jar

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_EFQJ4VC68W	2 years	This cookie is installed by Google Analytics.
_gat_UA-40903030-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_cfuvid	session	Description is currently not available.
DEVICE_INFO	5 months 27 days	No description
ln_or	1 day	No description
loglevel	never	No description available.
TESTCOOKIESENABLED	1 minute	Description is currently not available.
wp10786	1 year	No description