Who does this affect?
This article applies to users running Portfolio 3.6.3 and 4.0.
Issue
On December 10, 2021 researchers reported CVE-2021-44228, detailing an exploit in the Log4j library that allowed a malicious user to run code on an affected system. Portfolio uses an affected version of Log4j.
On March 10th, 2023 an issue with Log4j 1.x was denoted on systems running JRE earlier than ver. 1.7 in CVE-2023-26464
Is there a solution?
CVE-2021-44228
Yes. Portfolio versions 3.6.3 and 4.0 need to update to the latest version of Portfolio 4.0.1 can be found on our Installers page here:
https://www.extensis.com/support/portfolio-4/
CVE-2023-26464
Portfolio 3.6.3 and 4.x do not use a JRE lower than 1.7
Additional Security Reports:
CVE-2018-19409
Only effects Linux servers (not support by Portfolio)
CVE-2018-16509
Requires local access to the system to be exploited. A secure network should mitigate this issue
CVE-2016-7979 & CVE-2019-14813
Requires local access to the system to be exploited. A secure network should mitigate this issue
CVE-2022-23302
Requires local access to the system to be exploited. A secure network should mitigate this issue
CVE-2018-18284
Only effects Linux servers (not support by Portfolio)
CVE-2019-7321
Portfolio does not use an affected version of MuPDF
CVE-2018-1335
Portfolio does not use tika-server
CVE-2016-6809
Portfolio does not support MATLAB files
CVE-2022-42252
Only applicable if Portfolio is behind a reverse proxy that also fails to reject the request with the invalid header. Reverse proxies are not part of our standard configuration when developing Portfolio
CVE-2022-45143
Portfolio does not use this feature of Tomcat
CVE-2022-29885
Portfolio does not use any of the clustering features outlined in the vulnerability. A secure network should further mitigate this issue
CVE-2021-4104
We do not use JMSAppender in any of our products
CVE-2019-17571
We do not use the Log4j network logging features and are not affected
CVE-2020-9488
We do not use the Log4j SMTPAppender and are not affected
CVE-2022-23305
We do not use the Log4j JDBCAppender and are not affected
CVE-2022-23307 & CVE-2020-9493
This is related to Apache Chainsaw, a gui log reader that an be included with log4j. We do not include this with our distribution and are not affected
CVE-2022-23305
We do not use the JDBCAppender
CVE-2020-9488
We do not use the SMTPAppender
If you have questions or require more assistance, please submit a support request.