9579

Informationen zur log4j Sicherheitslücke hinsichtlich Wolfram Research Software

  • Erstellt am 15.12.2021
  • Software: Wolfram Cloud, Mathematica, webMathematica, gridMathematica, Wolfram Enterprise Private Cloud (EPC)

Hinsichtlich der kürzlich offengelegten log4j Sicherheitslücke der Java logging library mit der Version 2.x (wobei x<15 ist) hat der Hersteller der oben genannten Software (Wolfram Reasrech Inc.) folgendes Informationen bekannt gemacht:

Mathematica uses log4j only in very isolated places of its extended functionality, namely in RLink and as a dependency in a Chemistry library named opsin, but in either case only in versions 1.x.

The same considerations apply to technically very similar Wolfram products such as Wolfram Desktop, Wolfram Player, Wolfram Alpha Notebook Edition.

In Wolfram Cloud the vulnerability has been addressed.

Wolfram Enterprise Private Cloud (EPC) uses affected versions of log4j. We are contacting all customers of externally managed EPCs directly, providing a workaround that prevents the use of this utility.

Diese genannten Workarounds liegen Additive vor und können bei Bedarf über unseren Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein. angefragt werden.

gridMathematica uses other logging utilities than log4j, is therefore unaffected.

webMathematica uses log4j in a 1.x version, is therefore not immediately affected. Customers that may still be concerned can replace the file log4j-1.2.15.jar in the WEB_INF/lib folder with the most recent log4j files in the download zip archive.

For all of these products we are looking into releasing their next version only with the most current versions of log4j.
The review for a few more Wolfram products is continuing, yet we are very actively seeking to keep all Wolfram customers safe from this high-profile vulnerability.
 

Question?

Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein., wenn Sie eine Frage zu diesem Artikel haben.