Product bulletin: Update on Log4j vulnerability

Windows

Trimble Connect

Web

Trimble Connect

Mobile

Trimble Connect

Not version-specific

Tekla Portal Frame Designer

Not version-specific

Tekla PowerFab Tekla PowerFab GO

Not version-specific

Tekla Connection Designer

Not version-specific

Tekla Tedds Tekla Tedds for Word

Not version-specific

Tekla Structural Designer

Not version-specific

Tekla Structures

Environment

Not environment-specific

As a background, this vulnerability can affect Java-based applications that use certain versions of 'Log4j' logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. The vulnerability can allow remote code execution e.g. via user input for an unauthenticated attacker to gain access to a target system.

Trimble has identified the Log4j vulnerability as a potential exposure for Trimble and is executing its vulnerability management process to assess the risk and prioritize remediation. We have engaged engineering resources, third party cybersecurity vendors and software providers. We are continuously refreshing our datasets as we identify potential exposures in our infrastructure and product code.

Update 2021-12-17:

The Tekla products Tekla Structures, Tekla Model Sharing, Tekla Tedds, Tekla Structural Designer or Tekla Power Fab do not contain the log4j library.
Tekla Online services have been promptly updated to the new versions of this logging library.
Additionally we have been doing extra breach monitoring to be certain that we have not had any suspicious web traffic.

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://github.com/apache/logging-log4j2/pull/607