We would like to inform you that the log4j vulnerability (CVE-2021-44228) does not affect the AIMMS Cloud Platform or AIMMS PRO on-premise installations:
- The vulnerability is in log4j 2.x (2.0-beta9 to 2.14). AIMMS PRO uses log4j 1.2. This version does not include ‘run-time loading of classes’ which is the functionality used for the vulnerability.
- Security group configuration on the AIMMS Cloud Platform would prevent exploitation of this vulnerability in case we would be using a 2.x version.
- In case we would be using a 2.x version, AIMMS PRO on-premise installations would have to permit external calls to an LDAP server, which we consider highly unlikely.
Update on December 14, 10:30 CET
- The only AIMMS products using Java are AIMMS PRO and the SDK Java client.
- The LicenseServer and AIMMS are not Java and therefore are not affected.
- The aimmssdk-server is not Java and therefore is not affected. The aimmssdk codebase does provide a Java variant of the aimms-api, which can be used by customers to have their Java applications interact with AIMMS. The examples and defaults use log4j 1.2 which is not affected by this exploit. It depends however on the log4j version chosen by the customer on which version is used in his application and outside of AIMMS control.
- There is a vulnerability in log4j 1.2. The AIMMS PRO server however does not use the SocketServer component of log4j 1.2 and is therefore not vulnerable to this exploit. If you have an on-premise AIMMS PRO installation and you would like to set the ‘log4j.formatMsgNoLookup’ to ‘true’,you can do so by altering the file “AimmsPROService.cfg” which is in the folder %ProgramFiles%\AimmsPRO 2.0. You should stop the AIMMS PRO services and insert a line like:
Next start the services again.
Please contact our user support team (firstname.lastname@example.org) if you have more questions about this topic and of course you can also post questions and comments to this article.
Jan-Willem van Crevel
as Information Security Officer AIMMS