We have performed an investigation into DESITE BIM and we are pleased to say that it does not use log4j and is not vulnerable to CVE-2021-44228.
For customers that use the Flexera licensing service; Flexera are investigating their exposure to the log4j issues. They have confirmed that both the cloud service (FlexNet Embedded) and the on-premise server (FlexNet Publisher) are exposed to the log4j issue.
We are working with Flexera to ensure that our cloud licensing customers are protected. Flexera have put a workaround in place to mitigate the threat whilst a full fix is being deployed.
For customers that have an on-premise FlexNet Publisher instance for managing their licenses, this product has been confirmed as vulnerable by Flexera up to version 2021 R4 (18.104.22.168). At this time, Flexera have not published information on a fixed version or mitigation plan. In the meantime, to minimise the risk of compromise, please take appropriate steps to isolate any on-premise FlexNet Publisher servers; where possible ensure that the servers are not published on the internet.
We will update this article as the situation changes. Further information is being provided by Flexera via their support site: https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-44228/ba-p/216905
For customers that use the FlexNet Publisher product (Concurrent User On-Premise Licenses):
If you have deployed the Flexera Publisher server in line with our setup guide (only enabling the command line interface (lmgrd)), Revenera have confirmed that the server is not vulnerable to CVE-2021-44228. If you have customised your installation of the server so that it uses a web interface (lmadmin) instead of the command line, Revenera have identified that in versions prior to 22.214.171.124, the web interface only module “Alerter” contains a version of log4j which is vulnerable to CVE-2021-44228.
To confirm, if you have followed the setup guide and are working with the command line interface, the server is not vulnerable. If you have enabled the web interface, instead of the command line interface and enabled the “Alerter” module, the server is at risk. Revenera have published a workaround for user of the web interface, which involves replacing the vulnerable jar files with newer versions which are not vulnerable. Please see their support article here, for more information: https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2021-44228-Log4j-vulnerability-impact-on-FlexNet-Publisher/ta-p/217384