topic Re: Critical vulnerability found in log4j in Installation & Licensing Forum

Critical vulnerability found in log4j

mdavis22569 — Mon, 13 Dec 2021 17:10:47 GMT

Does Autodesk have anything official about this yet?

Critical vulnerability found in log4j

Re: Critical vulnerability found in log4j

Anonymous — Mon, 13 Dec 2021 18:23:21 GMT

Any news on this yet?

Re: Critical vulnerability found in log4j

mdavis22569 — Mon, 13 Dec 2021 18:24:30 GMT

As soon as I hear something I'll post. I hit some higher up's I know about this ...

Re: Critical vulnerability found in log4j

jgarrison — Mon, 13 Dec 2021 19:59:16 GMT

Any word from Autodesk on this yet? Even a KB link saying "we are investigating" would be helpful for those of us needing to track this across vendors.

Betreff: Critical vulnerability found in log4j

cadffm — Tue, 14 Dec 2021 07:54:00 GMT

As you can read now on each forum page:

The Autodesk Security Team is investigating the Log4Shell vulnerability (CVE-2021-044228). We have not identified any compromised systems in the Autodesk environment due to this vulnerability at this time. This is an ongoing investigation and we will provide updates on the Autodesk Trust Center as we learn more.

Re: Critical vulnerability found in log4j

RRienWNFHV — Tue, 21 Dec 2021 22:18:30 GMT

Please push this with your Security Team, this is a very high priority issue with our Security Team and they are demanding I provided them with a solution. I will be opening a new ticket and referencing this post as well.

Re: Critical vulnerability found in log4j

cadffm — Tue, 21 Dec 2021 22:28:53 GMT

Yes mdavis, PUSH IT! 😅

@RRienWNFHV

What are you talking about, there is an official statement and that#s all you will get,

..until they found an issue.

https://knowledge.autodesk.com/support/AutoCAD/learn-explore/caas/sfdcarticles/sfdcarticles/CVE-2021-44228.html

Re: Critical vulnerability found in log4j

robert.rienE7F2G — Wed, 22 Dec 2021 14:54:16 GMT

Well @cadffm, If you read my post again it clearly stated what I am asking, I cannot more clear, I need a fix, but here.
We have found a vulnerability in the Vault and Inventor products regarding "Apache Log4", we are looking for a fix from Autodesk, we need this ASAP as I am being pushed from our IT, I am requesting that they push their Security team for us.
Does this help clear it up for you?

Merry Christmas

Re: Critical vulnerability found in log4j

cadffm — Wed, 22 Dec 2021 15:04:42 GMT

Thank you for clarifying.

BUT ??

>>"We have found a vulnerability in the Vault and Inventor products regarding "Apache Log4", "

That's great! Because as you can read,

AutoDESK didn't found them until now: "We have not identified any compromised systems in the Autodesk environment due to this vulnerability, at this time"

So if you found one or more, run to AutoDESK, use the direct way, TELL them what you found!

https://knowledge.autodesk.com/contact-support

>>"we are looking for a fix from Autodesk"

You should inform them first, then they can look for a fix 😉

>>", we need this ASAP"

Ah, YOU are the one who need it ASAP, okay.

>>"as I am being pushed from our IT, I am requesting that they push their Security team for us."

If you informed AutoDESK about the problem, all done, you can do nothing more than wait.

>>"Does this help clear it up for you?"

Yes, thank you. And now: Start your support case.

Re: Critical vulnerability found in log4j

robert.rienE7F2G — Wed, 22 Dec 2021 15:17:59 GMT

@cadffm Is this how you get off by chastising users on line?
Really professional for someone of your "Autodesk Expert Elite Member" title, I can see that Autodesk just hands them out to anyone these days, really professional Autodesk, maybe you might want to rethink this one?

Now I remember why I do not post to these forums, it is folks like you that make the rest of us feel so comfortable and welcome here.

Go ahead and keep chastising me and other users, you must know better then the rest of us.

Re: Critical vulnerability found in log4j

cadffm — Wed, 22 Dec 2021 15:33:19 GMT

Hey Robert,

"it is folks like you "

I am a AutoDESK Software User and we all on the same boat. And all million users can not change the program,

the only one who can do this, is AutoDESK!

And IF you really found a problem, you should tell AutoDESK what you found.

Posting in Forum is good to inform us (other users), but if you really sure and thinking you found a problem,

then you have to go to AutoDESK (Support).

Perhaps I misunderstood your post a second time, but your last reply was surely the only inappropriate thing here.

I am trying to help another User, i showed where the current information is and where you have to go,

if you have new informations for AutoDESK.

Wir können uns gerne auf deutsch unterhalten, wenn das Übersetzungsprobleme verringert.

Re: Critical vulnerability found in log4j

robert.rienE7F2G — Wed, 22 Dec 2021 15:47:12 GMT

@cadffm Maybe you should go back and re-read your post to me, how does telling a user that that as you stated are trying to help "you can read!" help a user? Not helpful in the least bit, but it is my opinion only, and I am still allowed to have it.
Maybe you should try treating users with a little more respect instead of trying to make them look stupid and just state what it is that you found wrong with their post or just let it go as I am with this post to you, letting it go, I have made my point, your a bully on this site and NOT helping with the original post I am done responding to you.

Have a good rest of your day.

Re: Critical vulnerability found in log4j

pendean — Wed, 22 Dec 2021 21:52:05 GMT

Rantings aside, all these forums are end-user supported, end-users like you and me. If an Autodesk staffer drifts in here, its unusual but not unheard of, just not worth counting on.

If you see issues that Autodesk does not (see banner at the top of practically every page they run here), you need to report it yourself to Autodesk, here is one avenue other than this user-driven I&L forum https://knowledge.autodesk.com/customer-service/account-management/users-software/support-options#:~:text=To%20contact%20support%3A,to%20access%20help%20and%20support.

Here is another https://www.autodesk.com/company/contact-us/product-feedback

Then tag any Autodesk staffer you see that posted recently in this I&L specific forum if you wish as well, the method is the @ symbol with their forum name (no spaces between symbol and name) like I am tagging you here @robert.rienE7F2G

HTH

Re: Critical vulnerability found in log4j

DarrenP — Sat, 25 Dec 2021 19:35:25 GMT

according to Autodesk Vault & Inventor are not vulnerable to this: https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0012

are you sure you seeing this with Vault & Inventor?

Re: Critical vulnerability found in log4j

robert.rienE7F2G — Mon, 27 Dec 2021 15:02:56 GMT

Yes, I am sure, our Security Teams is reporting that Vault and Inventor have the Log4J vulnerability, not the Log4Shell vulnerability, there are two if you were not aware.

Re: Critical vulnerability found in log4j

pendean — Mon, 27 Dec 2021 20:49:07 GMT

@robert.rienE7F2G

Re: Critical vulnerability found in log4j

robert.rienE7F2G — Mon, 27 Dec 2021 21:36:00 GMT

Yes, I am very much aware of this page, there are items that we are working on with Autodesk that are not listed on that site, such as, what are the steps that we need to follow to remove Log4j 2.15.0 and upgrade to Log4j 2.17 if possible for the affected applications on that list.
I know that they are working on it, I get it that it takes time, but it is not acceptable at this point, we all need to at least know how to at least remove this vulnerability until they have a mitigation for the affected applications. I would think that someone out here would agree with at least that.
.

Re: Critical vulnerability found in log4j

ab_c — Tue, 28 Dec 2021 09:49:17 GMT

For me, the site

https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0012

- which the users are invited to visit - contains nothing but the title. No information like "we found .." or "we didn't find ..."

For me, a strange kind of information.

Re: Critical vulnerability found in log4j

pendean — Tue, 28 Dec 2021 13:52:11 GMT

Bet if they knew for sure 100% they would have documented it already: right?

Re: Critical vulnerability found in log4j

ab_c — Tue, 28 Dec 2021 14:41:36 GMT

I would not bet ...

When they add "news headers" on many webpages with the content "For information look at ..." - and there is no information, not even the string "At the moment we have no information.", then I'm confused about the seriousness of the topic.