Apache log4j vulnerability does not affect AIMMS software

  • 13 December 2021
  • 2 replies
  • 283 views
Apache log4j vulnerability does not affect AIMMS software
Userlevel 3
Badge +4

 

We would like to inform you that the log4j vulnerability (CVE-2021-44228) does not affect the AIMMS Cloud Platform or AIMMS PRO on-premise installations:

  • The vulnerability is in log4j 2.x (2.0-beta9 to 2.14). AIMMS PRO uses log4j 1.2. This version does not include ‘run-time loading of classes’ which is the functionality used for the vulnerability.
  • Security group configuration on the AIMMS Cloud Platform would prevent exploitation of this vulnerability in case we would be using a 2.x version. 
  • In case we would be using a 2.x version, AIMMS PRO on-premise installations would have to permit external calls to an LDAP server, which we consider highly unlikely. 

Update on December 14, 10:30 CET

  • The only AIMMS products using Java are AIMMS PRO and the SDK Java client.
  • The LicenseServer and AIMMS are not Java and therefore are not affected.
  • The aimmssdk-server is not Java and therefore is not affected. The aimmssdk codebase does provide a Java variant of the aimms-api, which can be used by customers to have their Java applications interact with AIMMS. The examples and defaults use log4j 1.2 which is not affected by this exploit. It depends however on the log4j version chosen by the customer on which version is used in his application and outside of AIMMS control.
  • There is a vulnerability in log4j 1.2. The AIMMS PRO server however does not use the SocketServer component of log4j 1.2 and is therefore not vulnerable to this exploit. If you have an on-premise AIMMS PRO installation and you would like to set the ‘log4j.formatMsgNoLookup’ to ‘true’,you can do so by altering the file “AimmsPROService.cfg” which is in the folder %ProgramFiles%\AimmsPRO 2.0. You should stop the AIMMS PRO services and insert a line like:

             "-Dspring.profiles.active=WINDOWS",

             "-Dcom.aimms.pro.datadir=${AIMMSPRO_DATADIR}",

             "-Djava.library.tmpdir=${AIMMSPRO_DATADIR}/tmp",

             "-Dlog4j.formatMsgNoLookup=true",

             "-Dcom.sun.management.jmxremote=false"

    Next start the services again.

Please contact our user support team (support@aimms.com) if you have more questions about this topic and of course you can also post questions and comments to this article.

Jan-Willem van Crevel
as Information Security Officer AIMMS

 


2 replies

Userlevel 3
Badge +4

Please be advised that we updated this article with some more detailes following user questions.

Jan-Willem van Crevel
as Information Security Officer at AIMMS

Userlevel 3
Badge +4

Another update:

  • The AIMMS Cloud Platform uses egres rules preventing any outgoing LDAP traffic from our server components. Therefore it would not be possible to exploit the log4j 2.x vulnerability, even if we were using it. Outgoing LDAP traffic for the sessions is not prevented, but the sessions do not run Java.
  • I realize we may have caused confusion with the instructions for on-premise PRO installations how to prevent the SocketServer from ever being used in our software (in relation to this vulnerability). This configuration is in our eyes unneeded as SocketServer is not used in our code, nor are we planning to use it in future.

And because I can imagine that all the technical details in this article may distract from the title of the article, I will repeat it here:

Apache log4j vulnerability does not affect AIMMS software

 

Again, feel free to contact our User Support team if you have further questions.

Jan-Willem van Crevel
as Information Security Officer AIMMS

Reply


Didn't find what you were looking for? Try searching on our documentation pages:

AIMMS Developer & PRO | AIMMS How-To | AIMMS SC Navigator