log4j

Last activity on October 1, 2023 - 11:21 249 Views 5 Replies ARIS Express

Joachim Kindler on January 26, 2022

Hi,

I understood that Aris Express was somehow effected by the log4j issue.

I had to delete ARIS Express as communicated by my organization.

Ist it OK to install it again?

Best regards, Joachim

Notify Moderator

Best Reply

Runé Becker on February 8, 2022 as Reply to Tobias Roth

I think Frank Weyand already replied to you here Apache Log4j - are we affected? | ARIS BPM Community (ariscommunity.com)

I can't add anything else except that we also had many "false positives", means, a software found by a scanner which didn't toroughly searched for the real Log4J CVEs but only for the Log4J classes, regardless of version and content.

I hope you get ARIS Express soon be put on a whitelist.

Cheers
Runè

or register to reply.

Show in context Notify Moderator

5 Replies

Runé Becker on January 26, 2022

Dear Joachim,

The well known vulnerability of Log4j published in Dec 2021 was never an issue for ARIS Express, because we don't have the affected Log4J version 2 included in ARIS Express. We are using a prior version. Source: Apache Log4j - are we affected? | ARIS BPM Community (ariscommunity.com)

So there is neither a reason for you to remove ARIS Express from your computer, nor do we have see a need to build a new version of ARIS Express.

Cheers
Runè

Like

Sign in
or register to reply.

Notify Moderator
TR

Tobias Roth on February 8, 2022

Dear René

we used also ARIS Express in our company. We deleted ARIS Express from all our computers, because our research showed us, that it uses "log4j__V2.3.jar".

Log4j is vulnerable from 2.0-beta9 til incl. 2.14.1.

So please tell me why it should not be vulnerable.

Thanks and best regards

Tobias

Like

Sign in
or register to reply.

Notify Moderator
TR

Tobias Roth on February 8, 2022

Dear René

we used also ARIS Express in our company. We deleted ARIS Express from all our computers, because our research showed us, that it uses "log4j__V2.3.jar".

Log4j is vulnerable from 2.0-beta9 til incl. 2.14.1.

So please tell me why it should not be vulnerable.

Thanks and best regards

Tobias

Like

Sign in
or register to reply.

Notify Moderator
Runé Becker on February 8, 2022 as Reply to Tobias Roth

Best reply

I think Frank Weyand already replied to you here Apache Log4j - are we affected? | ARIS BPM Community (ariscommunity.com)

I can't add anything else except that we also had many "false positives", means, a software found by a scanner which didn't toroughly searched for the real Log4J CVEs but only for the Log4J classes, regardless of version and content.

I hope you get ARIS Express soon be put on a whitelist.

Cheers
Runè

Like

Sign in
or register to reply.

Notify Moderator
TR

Tobias Roth on February 9, 2022 as Reply to Runé Becker

Thank you Runé for this information

Like

Sign in
or register to reply.

Notify Moderator

Upcoming events

Thursday, March 27, 2025 - 12:00

ARIS Gebruikers Groep Nederland (AGNL) Theme session: Process Excellence
Tuesday, April 29, 2025 - 09:00

ARIS User Group DACH meeting

Best Reply

ARIS Gebruikers Groep Nederland (AGNL) Theme session: Process Excellence

ARIS User Group DACH meeting