MathWorks has published the following in the Trust Center (version 3 of 2021-12-18):
MathWorks Response to CVE-2021-44228 and CVE-2021-45046 Apache Log4j vulnerabilities
Security researchers disclosed the following vulnerabilities in the Apache Log4j Java logging library:
- CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints
- CVE-2021-45046: the fix for CVE-2021-44228 was incomplete in certain non-default configurations.
MathWorks Product Security promptly conducted an assessment across the code base for desktop, server and online applications and determined that MathWorks customers do not need to take any action related to MathWorks products and online applications:
MathWorks Desktop and Server Products
None of MathWorks general release desktop or server products include the affected versions of Log4j and so do not contain the CVE-2021-44228 or CVE-2021-45046 logging vulnerabilities.
MathWorks is not aware of any exploitable vulnerabilities in the log4j framework used in any of our general release desktop or server products.
MathWorks general release desktop or server products includes MATLAB, Simulink, Stateflow, MATLAB Production Server, MATLAB Web App Server, MATLAB Parallel Server, MATLAB Online Server, MATLAB Runtime, MathWorks Product Installer, MATLAB Runtime Installer, all Polyspace products, RoadRunner and any toolboxes or blocksets for any of these. In addition, this includes all previous general releases such as R2021b, R2021a, R2020b, R2020a, and so on.
All online applications have been patched with officially suggested mitigations. After investigation there was no evidence that the vulnerability had been exploited on any of our systems.
Continuing Activities
MathWorks Product Security will continue to monitor this specific set of issues for their potential impact on our products.
See here for the full document: https://www.mathworks.com/content/dam/mathworks/policies/mathworks-response-to-cve-2021-44228-log4j-vulnerability.pdf
