Applies to: COMSOL Model Manager, COMSOL Multiphysics®, COMSOL Server™ Versions: 6.1, 6.0, 5.6, 5.5, 5.4, 5.3a, 5.3, 5.2a, 5.2, 5.1, 5.0, 4.4

Problem Description

Does the COMSOL software contain the Apache Log4j library and, if so, is it affected by the vulnerabilities having the Common Vulnerabilities and Exposures (CVE) designations: CVE-2019-17571, CVE-2020-9488, CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307?

Solution

Summary

COMSOL Version 6.1 is not vulnerable.

For COMSOL Version 6.0 you should install update 1 as soon as possible since it contains an update of Log4j2 to version 2.17.1, which is not affected by these vulnerabilities, as well as a patched version of Log4j 1.2.17 where vulnerable classfiles have been removed.

COMSOL Version 5.6 and earlier versions only contain Log4j 1.2.17. Although we don't believe that the vulnerabilities it contains are exposed in our software, see instructions below for how to manually patch it if you, for example, want to avoid false positives in security scanning software.

COMSOL Version 6.1 or Later

COMSOL Version 6.1 or later includes Log4j2 version 2.17.1 or later, which is not affected by these vulnerabilities, and no version of Log4j 1.x is included.

COMSOL Version 6.0

COMSOL Multiphysics and the Model Manager server utilizes the Log4j 2.x library. When applying the COMSOL Software Version 6.0 Update 1, released on February 11, 2022, the Log4j 2.x library used in COMSOL Multiphysics is updated to version 2.17.1, where CVE-2021-44832, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228 have been mitigated. After applying Update 1, the build version of COMSOL Multiphysics is incremented to 354. By downloading the full version of COMSOL Multiphysics you automatically get build 354.

COMSOL Version 6.0 also utilizes the Log4j 1.x library. When applying the COMSOL Software Version 6.0 Update 1, a patched version of Log4j 1.2.17 is installed. In this patched version, COMSOL has removed JMSSink.class, JMSAppender.class, SocketServer.class, SMTPAppender.class, SMTPAppender$1.class, JDBCAppender.class, and the org.apache.log4j.chainsaw package to mitigate CVE-2022-23302, CVE-2021-4104, CVE-2019-17571, CVE-2020-9488, CVE-2022-23305, and CVE-2022-23307, respectively.

The FlexNet license server does not utilize any Log4j libraries.

COMSOL Multiphysics, COMSOL Server, and COMSOL Model Manager Server

See the Product Update Page for instructions on how to install update 1.

COMSOL Compiler

The runtime used for executables compiled with COMSOL Compiler contains the same Log4j versions as the corresponding version of COMSOL Multiphysics that compiled it. So as long as COMSOL Multiphysics 6.0 is of build 354 (either by applying the upgrade as described above, or by installing the latest build directly) when the application is compiled, the Log4j versions that are included in the COMSOL Compiler runtime will be not vulnerable as described above.

COMSOL Version 5.6 and Earlier Versions

COMSOL Version 5.6 utilizes the Log4j 1.x library; however, it is not affected by any of the known vulnerabilities.

In more detail, the Log4j version used in COMSOL Version 5.2a and earlier is version 1.2.16, and in COMSOL Version 5.3 and later, version 1.2.17 of Log4j is used. This applies to both COMSOL Multiphysics and COMSOL Server.

Furthermore, the COMSOL software does not use the log server in Log4j 1.x and is therefore not vulnerable to CVE-2019-17571 for the SocketServer class in Log4j 1.2+. In addition, the COMSOL software is not configured to use the JMSAppender of Log4j 1.x and is therefore is not vulnerable to CVE-2021-4104.

Note that COMSOL Version 5.6 and earlier versions are not vulnerable to CVE-2021-44832, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228 because they do not contain log4j version 2.x.

Although we don't believe that the vulnerabilities Log4j 1.x contains are exposed in our software, it is possible to manually patch it using an external scanning tool. Such manual patching will achieve the same mitigations as in COMSOL 6.0 Update 1, and can be useful, for example, to avoid false positives in security scanning software. To patch Log4j 1.x in an installation of COMSOL 5.6 or earlier, you can use an open source scanner available on GitHub under the Apache License 2.0:

  1. Download the CVE-2021-44228-Scanner software for your platform.
  2. Run it as an administrative user with the --scan-log4j1 and --fix options enabled and the COMSOL installation directory as target path.
  3. The software should report that it has mitigated Log4j 1.x. Depending on the installation type and installed modules, the scanner can find Log4j files to mitigate in one or both of these files: log4j-1.2.17.jar and lib.external.poi_4.1.2.jar.