Informationen zur log4j Sicherheitslücke hinsichtlich Wolfram Research Software
- Erstellt am 15.12.2021
- Software: Wolfram Cloud, Mathematica, webMathematica, gridMathematica, Wolfram Enterprise Private Cloud (EPC)
Hinsichtlich der kürzlich offengelegten log4j Sicherheitslücke der Java logging library mit der Version 2.x (wobei x<15 ist) hat der Hersteller der oben genannten Software (Wolfram Reasrech Inc.) folgendes Informationen bekannt gemacht:
Mathematica uses log4j only in very isolated places of its extended functionality, namely in RLink and as a dependency in a Chemistry library named opsin, but in either case only in versions 1.x.
The same considerations apply to technically very similar Wolfram products such as Wolfram Desktop, Wolfram Player, Wolfram Alpha Notebook Edition.
In Wolfram Cloud the vulnerability has been addressed.
Wolfram Enterprise Private Cloud (EPC) uses affected versions of log4j. We are contacting all customers of externally managed EPCs directly, providing a workaround that prevents the use of this utility.
Diese genannten Workarounds liegen Additive vor und können bei Bedarf über unseren
gridMathematica uses other logging utilities than log4j, is therefore unaffected.
webMathematica uses log4j in a 1.x version, is therefore not immediately affected. Customers that may still be concerned can replace the file log4j-1.2.15.jar in the WEB_INF/lib folder with the most recent log4j files in the download zip archive.
The review for a few more Wolfram products is continuing, yet we are very actively seeking to keep all Wolfram customers safe from this high-profile vulnerability.