Security Risk: Apache Log4j Obsolete Version

    • rely

      My IT department wants me to delete or update the log4j executable files contained in the AnsysEM22.1 release. I get this message:

      Detection Detail: Vulnerable software installed: Apache Log4j 1.2.16 (C:\Program Files\AnsysEM\AnsysEM22.1\Win64\spisim\spisim\modules\ext\log4j-1.2.16.jar)

      Solution Fix: See 'Detection Detail' below for which Log4j vulnerable file/module/software was found.  Either Delete the file, uninstall the respective module, or update the specific software utilizing this outdated Log4j vulnerable jar/module.

      If I delete this, what functionality will I loose?  Does anyone know of a release of log4j that doesn't have this vulnerability?

    • Dan Dvorscak
      Ansys Employee

      That particular file is specific to the SPISim utility. If you are not using SPISim at all, it can be safely deleted without impacting the rest of the Ansys Electronics suite. 

      Though it it helps, according to the Ansys support site for Log4j vulnerabilities that file does not use any of the affected classes that are susceptible to the vulnerability. Also note that this issue has been completely resolved in the 2023R1 release. 

      Apache Log4j Vulnerability - Software Security Updates (ansys.com)

Viewing 1 reply thread
  • You must be logged in to reply to this topic.