Home » News » Thermo-Calc Response to Apache Log4j 2 Vulnerability
Thermo-Calc Response to Apache Log4j 2 Vulnerability
First Published: December 15, 2021 | Last Updated: January 19, 2022 15:50 CET
Thermo-Calc Software is aware of the so-called Log4Shell vulnerability in the Apache Log4j Java logging library that was disclosed on December 9, 2021. We have investigated our products, including Thermo-Calc, the Add-on Modules, SDKs, Property Models, and databases.
None of our products use the Log4j 2 versions affected by the Log4Shell bug.
However, in the wake of Log4Shell, there are strong recommendations to update Log4j to the most recent version. Therefore an update for Thermo-Calc 2022a was released on January 18, 2022 and another on January 19, 2022.
Delete the Log4j 2 files in the program installation if required by your company using the instructions below
Users of 2018a and earlier:
Use the program as normal
What We Concluded
Thermo-Calc has never used the Log4j 2 versions affected by the Log4Shell bug. Some versions of the software include these files, but they were never used and therefore do not cause a vulnerability.
All versions of Thermo-Calc since 3.0 (the first version with Java) use Log4j 1. This version is not prone to this vulnerability, but due to recommendations, we have updated the most recent version of Thermo-Calc to the most recent version of Log4j. Read about the update.
In some versions of Thermo-Calc, Log4j 2 is listed as one of the third-party products included in our software. This is inaccurate, as Log4j 1 is used.
Thermo-Calc is using Thales Sentinel RMS for license enforcement. The Sentinel RMS libraries and Sentinel license manager are not using Java and Log4j and are therefore not vulnerable.
What We are Doing
We investigated all versions of our software back to 3.0 (released 2013), the first version of Thermo-Calc to use Java and Log4j – and the earlier versions not written in Java. This includes all items shipped with the installation, such as Add-On Modules, SDKs, databases, Property Models, and example files.
In the wake of Log4Shell, there are strong recommendations to update the Log4j version that we are using, even though it is not affected by this vulnerability. Therefore we released an update to Thermo-Calc 2022a that uses the latest version of Log4j. Read about the update.
We emailed users on January 18, 2022 to inform them that an update is available and on January 19, 2022 to inform them of an additional update. The update is available from within the software.
We will not issue updates for older versions as there are no security risks associated with this vulnerability, but users can delete the unused Log4j files using the instructions below.
Log4Shell is mainly impacting web applications, but Thermo-Calc is a Java desktop application that uses network sockets for internal communication.
We have distributed Log4j 2 versions in some releases (listed below) alongside Log4j 1, but these were never used and therefore do not pose a security threat. This is the reason Log4j 2 is listed as a dependency in Help | About.
The Log4j 2 files can be safely deleted. We provide a small tool to help with that, which is included below.
How to Delete Log4j 2 Files
The following versions of Thermo-Calc include Log4j 2 files. They were installed alongside Logj 1 files, but are not used in the software and therefore do not pose a security threat. They can be deleted without causing any problem to the installation, but do not need to be deleted.
There is a small tool available to assist you in deleting all of these files. It can be downloaded by clicking the link below. Once you download the files, use the tool corresponding to your OS:
2. Additional files are embedded into a number of jar-files. These files can be deleted by most users without breaking the program. If you are using the database checker, database editor (up to version 2020a), or the IDE database plugin (from version 2020b, tdb language server), please contact support to get replacement files that do not contain Log4j 2: