0-day exploit found in log4j2, impact for OpenEdge users

Update • Progress Security Bulletin: https://www.progress.com/security

You may have heard that there is a critical security vulnerability in the “log4j” library that is used by many applications in the Java ecosystem and you might be wondering if this impacts your OpenEdge environment.

At this time we do not know of any specific, direct impact to OpenEdge.

Update: It looks like the OE REST Adapter is vulnerable
Deprecated: In OpenEdge 11.7 PASOE and the OE REST adapter do use log4j but it is version 1 of log4j which is not currently believed to be vulnerable to this exploit.
For OpenEdge 12.2, PASOE, and the underlying Tomcat instance do not appear to use log4j at all so we believe that they are safe.

CABL does not use log4j internally ; you may want to follow the instructions in this post if your SonarQube instance is exposed to the outside world.

None the less we encourage everyone to carefully review their Java infrastructure. Many add on components may have incorporated log4j and the vulnerability is being actively exploited. If you have internet facing infrastructure you should act immediately to mitigate the use of log4j by either upgrading to the patched release or by taking the temporary steps described in the articles below.

For more detailed information the following resources are a good start:

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://community.sonarsource.com/t/sonarqube-and-the-log4j-vulnerability/54721
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html