Here's everything you need to know about our updates for the Log4J security vulnerability.
Has Openings Studio been updated to Log4J version 2.17.1 yet?
Yes. Launching Openings Studio will automatically download these files and remove the old files.
What files might be picked up in a system vulnerability scan by a firm?
There are three located in C:\Program Files\AAOS. These files are called:
- Log4j-api-2.5.jar
- Log4j-core-2.5.jar
- Log4j-slf4j-impl-2.5.jar
The new, secure files have a similar name, but end in version number 2.17.1 instead of 2.5. The new jar files will automatically download when launching Openings Studio and the old jar files will be deleted. Please note: We originally updated to version 2.15.0, but we updated when Log4J released another version.
Should a firm be concerned if they have these old files?
Openings Studio will not run without the updated files, so there is no risk of Openings Studio using the old jar files. However, if a firm is concerned about these files showing up in a vulnerability scan, we recommend one of the following actions:
- Have each user with Openings Studio installed launch the program from either the Start menu or the plugin on their individual computers. Admin rights are not required for this action.
- Have IT run a script to delete the above 2.5 jar files from all computers. There is no risk in just removing them.
- Uninstall and reinstall Openings Studio for each user.
Should a firm uninstall and reinstall Openings Studio?
If a firm has a lot of users and can do this more easily than removing the old jar files, this is would be a good option. The necessity of doing this is based on the firm, as there is no risk when Openings Studio is offline. Again, new files will download automatically when Openings Studio is launched.
Did the Openings Studio installation package get updated?
Log4J files are not part of our installation package. The files are only downloaded when Openings Studio is launched for the first time, or when an update is deployed.
What happens if someone doesn’t update these files?
Nothing except for maybe showing up in a security scan. The files are not in use when Openings Studio is offline and do not pose a security threat in this state.
If you have further questions, feel free to contact your Openings Studio consultant for more information.