Applies to: COMSOL Model Manager, COMSOL Multiphysics®, COMSOL Server™ Versions: All versions

Problem Description

Does the COMSOL software contain the Apache Log4j library and, if so, is it affected by the vulnerabilities having the Common Vulnerabilities and Exposures (CVE) designations: CVE-2021-45105, CVE-2021-45046, CVE-2021-44228, CVE-2021-4104, CVE-2019-17571, and CVE-2021-44832?

Solution

Summary

COMSOL Version 5.6 and earlier versions are not affected by these vulnerabilities. For COMSOL Version 6.0 you should update as soon as possible since it contains the log4j version 2 library (log4j2), which is affected by these vulnerabilities.

COMSOL Version 6.0

COMSOL Multiphysics and the Model Manager server utilizes the Log4j 2.x library. When applying the COMSOL Software Version 6.0 Update 0, released on Dec. 23 2021, the Log4j library used in COMSOL Multiphysics is updated to log4j version 2.17.0, where these vulnerabilities have been resolved. After applying Update 0, the build version of COMSOL Multiphysics is incremented from 312 to 318. By downloading the full version of COMSOL Multiphysics you automatically get build 318. Note that the COMSOL Software Version 6.0 build 318 is not vulnerable to CVE-2021-44832 since it does not use JDBCAppender.

COMSOL Server version 6.0 does not utilize Log4j 2.x and neither does the FlexNet license server.

COMSOL Version 6.0 also utilizes the Log4j 1.x library. However, it is not affected by any of the known vulnerabilities. See the details under COMSOL Version 5.6 below.

COMSOL Multiphysics

To update your COMSOL Multiphysics installation, please do the following:

  • Close all sessions of COMSOL Multiphysics
  • Start a new session of COMSOL Multiphysics.
  • On Windows, select Help > Check For Product Updates from the File menu to initialize the update procedure. On macOS and Linux select Check For Product Updates from the Help menu.
  • Finalize the update by following the steps in the installer.

You can initialize the update procedure without starting COMSOL Multiphysics. To do that, please follow the instructions given under Additional Instructions on the Product Update Page

COMSOL Model Manager Server

To solve this issue for the COMSOL Model Manager server, it needs to be reinstalled.

Uninstall your current Model Manager server installation by:

  • Stop the Model Manager server. If installed as a Windows  service (the default for Windows), you can stop the Model Manager server service using the Manage Local Services shortcut installed on the Start menu under COMSOL Launchers.
  • Start the Model Manager server installer and select language.
  • Choose Uninstall COMSOL Model Manager Server 6.0. If a dialog box is opened, browse to the installation directory.
  • Click the Uninstall button.

NB: Uninstalling a Model Manager server will not delete any databases.

To install the updated version of the COMSOL Model Manager Server, download the new and updated installer from the Product Download Page and launch it to start the installation process.

COMSOL Compiler

The runtime used for executables compiled with COMSOL Compiler contains the same Log4J versions as the corresponding version of COMSOL Multiphysics that compiled it. So as long as COMSOL Multiphysics 6.0 is of build 318 (either by applying the upgrade as described above, or by installing the latest build directly) when the application is compiled, the version of Log4J 2.x that's included in the COMSOL Compiler runtime will be 2.17 and thus not vulnerable as described above.

COMSOL Version 5.6 and Earlier Versions

COMSOL Version 5.6 utilizes the Log4j 1.x library, however, it is not affected by any of the known vulnerabilities.

In more detail, the Log4j version used in COMSOL Version 5.2a and earlier is version 1.2.16, and in COMSOL Version 5.3 and later, also version 1.2.17 of Log4j is used by some components. This applies to both COMSOL Multiphysics and COMSOL Server.

Furthermore, the COMSOL software does not use the log server in Log4j 1.x and is therefore not vulnerable to CVE-2019-17571 for the SocketServer class in Log4j 1.2+. In addition, the COMSOL software is not configured to use the JMSAppender of Log4j 1.x and is therefore is not vulnerable to CVE-2021-4104.

Note that COMSOL Version 5.6 and earlier versions are not vulnerable to CVE-2021-44228 due to the fact that it does not contain log4j version 2.x.