Who does this affect?
This article applies to users running Portfolio 3.x and 4.x.
Issue
On December 10, 2021 researchers reported CVE-2021-44228, detailing an exploit in the Log4j library that allowed a malicious user to run code on an affected system. Portfolio uses an affected version of Log4j.
On March 10th, 2023 an issue with Log4j 1.x was denoted on systems running JRE earlier than ver. 1.7 in CVE-2023-26464
Is there a solution?
| Vulnerability | Comments | Remediation |
| CVE-2021-44228 |
Affects Portfolio version 4.0 and earlier |
Update to Portfolio 4.0.1. Installer can be found here: |
| CVE-2023-26464 | Portfolio 3.6.3 and 4.x do not use a JRE lower than 1.7 | |
| CVE-2018-19409 | Only effects Linux servers (not support by Portfolio) | |
| CVE-2018-16509 | Requires local access to the system to be exploited. A secure network should mitigate this issue | |
| CVE-2016-7979 & CVE-2019-14813 | Requires local access to the system to be exploited. A secure network should mitigate this issue | |
| CVE-2022-23302 | Requires local access to the system to be exploited. A secure network should mitigate this issue | |
| CVE-2018-18284 | Only effects Linux servers (not support by Portfolio) | |
| CVE-2019-7321 | Portfolio does not use an affected version of MuPDF | |
| CVE-2018-1335 | Portfolio does not use tika-server | |
| CVE-2016-6809 | Portfolio does not support MATLAB files | |
| CVE-2022-42252 | Only applicable if Portfolio is behind a reverse proxy that also fails to reject the request with the invalid header. Reverse proxies are not part of our standard configuration when developing Portfolio | |
| CVE-2022-45143 | Portfolio does not use this feature of Tomcat | |
| CVE-2022-29885 | Portfolio does not use any of the clustering features outlined in the vulnerability. A secure network should further mitigate this issue | |
| CVE-2021-4104 | We do not use JMSAppender in any of our products | |
| CVE-2019-17571 | We do not use the Log4j network logging features and are not affected | |
| CVE-2020-9488 | We do not use the Log4j SMTPAppender and are not affected | |
| CVE-2022-23305 | We do not use the Log4j JDBCAppender and are not affected | |
| CVE-2022-23307 & CVE-2020-9493 | This is related to Apache Chainsaw, a gui log reader that an be included with log4j. We do not include this with our distribution and are not affected | |
| CVE-2022-23305 | We do not use the JDBCAppender | |
| CVE-2020-9488 | We do not use the SMTPAppender | |
| CVE-2023-44487 | Portfolio doesn't support HTTP/2 and is unaffected | |
| CVE-2024-23672 |
Portfolio doesn't use WebSocket connections and is unaffected | |
| CVE-2024-24549 | Portfolio doesn't support HTTP/2 and is unaffected | |
| CVE-2023-28708 | This vulnerability affects servers deployed behind a reverse proxy. This is an uncommon and unsupported configuration for Portfolio | |
| CVE-2023-45648 | This vulnerability affects servers deployed behind a reverse proxy. This is an uncommon and unsupported configuration for Portfolio | |
| CVE-2023-41080 | This vulnerability affects an authentication feature of Apache that we do not use in Portfolio. | |
| CVE-2022-34305 | This vulnerability affects an authentication feature of Apache that we do not use in Portfolio | |
| CVE-2023-46589 | This vulnerability affects servers deployed behind a reverse proxy. This is an uncommon and unsupported configuration for Portfolio |
If you have questions or require more assistance, please submit a support request.