Gupta - Log4j Vulnerability

[Dave Rabelink]

From OpenText Gupta Knowledgebase.

Applies to:
Gupta Report Builder 7.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.4, 7.4.1
Gupta Team Developer (TD) 7.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.4, 7.4.1

Summary:
Does the Log4j remote code execution vulnerability reported in CVE-2021-44228 affect Gupta Team Developer or Report Builder?

Resolution:
Gupta Team Developer and Report Builder are not affected by the Log4j vulnerability as this third-party component is not in use within the product.


Link: KB19895664

[RainerE]

What about the uninstall program of the TD 4.2 deployment files?
We have migrated our application vom TD 4.2 to TD 7.4.1 and therefor the TD 4.2 deployment files must be deinstalled.
I noticed that the TD 4.2 (deployment) installler/deinstaller extracts and uses a Java runtime.
Our customer asked us, if Log4j is used in the installer/uninstaller. If yes, he is not allowed to use the uninstaller.

[Dave Rabelink]

To my knowledge this issue is only present in Log4j 2.
TD 4.2 is much much older than that and Log4J 2 can not be part of any system from before the introduction of this logger.

Another thing which came to mind is "what about the overall security of old TD applications which are not updated with the latest WinOS features to enhance security?
I'm not sure but maybe it is even more "insecure" to have very old runtimes service applications which may use outdated API's which are marked nowadays as "insecure".

One of them is for instance the MS c++ runtime which has older versions which are not supported anymore due to lack of security.