Log4j

bdbd · December 13, 2021, 10:19pm

Anyone know if Log4j is used by FileMaker in any capacity, whether in Pro, Go, Server or Cloud?

Malcolm · December 13, 2021, 10:34pm

Over at Reddit, people are saying that Claris has claimed there are no vulnerabilities.

360-works has chimed in to say that none of their code uses Log4j.

It seems as though the 360-works product called Plastic is affected and that updates are available.

MonkeyBread has a statement here: MBS Blog - log4j

MonkeybreadSoftware · December 14, 2021, 6:51am

Claris posted an answer:
https://support.claris.com/s/answerview?language=en_US&anum=000035819

OliverBarrett · December 14, 2021, 11:44am

If you have any code written that uses log4j, Apache has already posted updated libraries (with corresponding new maven dependencies --> log4j-2.15.0) that fix this problem. If you have the 1.x version of log4j, you're OK for this current vulnerability, but that version has other problems.

Also, updating from 1.x -> 2.x requires a small code change in how you instantiate the LOGGER.

Log4j Version 1:
private static final Logger logger =
Logger.getLogger(<class_name>.class);

log4j Version 2:
private static final Logger logger = LogManager.getLogger(<class_name>.class.getName());

Bobino · December 14, 2021, 2:34pm

This blog post offers a good recap: Fixing the Log4Shell (Log4j) exploit for FileMaker Server | by Anchor-Buoy Software | Dec, 2021 | Medium

Bobino · December 15, 2021, 1:32am

New update from Claris over here: ClarisPKB

Markus · December 15, 2021, 4:55pm

the statement by Claris could be a bit more clear

in aspect to log4j, FMS 18 is not affected, so for that reason no update to a 'current' version is needed (although, running a current version is always the preferred way)
running an older version as 18 (imho 16, 17) does not have the affected version of log4j, but that is no guarantee that it would be safe
there might be add-ons that installed log4j, so for example pdfBox for ubuntu seems to have that

OliverBarrett · December 15, 2021, 6:12pm

Make sure it's log4j2 as log4j version 1 is not affected by this particular problem.

Markus · December 16, 2021, 8:54am

Claris posted a new, detailled documentation

https://support.claris.com/s/answerview?language=en_US&anum=000035819

Thank You so much, Claris!

Bobino · December 16, 2021, 3:08pm

Just for Clarification, they updated their original post. I'm glad they did so, otherwise people need a bunch of different links to get the full picture. They centralized everything in that one post, and it is a good thing.

Topic		Replies	Views
FileMaker Server Web Config File - Security Risk Heads-Up! security , server	5	442	September 10, 2022
FileMaker Pro, FileMaker Server, Claris, Claris Studio, oh my! Questions filemaker-server , claris-cloud	43	700	September 2, 2023
FileMaker 19 is out in the News	22	990	May 21, 2020
FileMaker 19.5.3 and FileMaker 19.5.3 now available Heads-Up! filemaker-server , filemaker , announcement	16	375	September 1, 2022
FileMaker 19.6.1 Released in the News announcement	10	456	December 9, 2022

Log4j

Related Topics