This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reflection for IBM 2014 (R1 15.6.636.0)

Hello Together

We are using this Reflection Client (Reflection for IBM 2014 (R1 15.6.636.0) a local installation on our notebooks.
Does anyone know if this version is affected by the Java Log4j problem? Thanks a lot for the support.

Greetings Pascal

Tags:

Labels:

Reflection
  • 0  

    Hi Pascal,

    Thank you for contacting us regarding this issue. Just so you're aware, the current version of Reflection is Reflection Desktop 17.0 SP1.

    Micro Focus development teams are currently evaluating this situation for all AMC Host Connectivity products. We’ll provide further updates as we learn more. Here's current status:

    1. Are you aware of Log4J or Logshell/LogJam (CVE-2021-44228)? Yes, and at this point Micro Focus’ review has found no indications of this vulnerability being exploited. We continue to monitor it closely.

    2. What is Micro Focus doing?
    a. The appropriate security teams are fully engaged and have been since we were first alerted this past Friday (December 10).
    b. We are following Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Centre (NCSC) guidance on this issue.
    c. In addition, Micro Focus has implemented a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest, and 3rd Party Component Monitoring. Using these formal processes, we are working through this subject.
    d. At the Micro Focus network enterprise level, our internal security tooling has been updated and we will continue to monitor our operations for issues.

    Sincerely, Kris Lall

  • 0 in reply to   

    Good morning Kris

    Thank you for your feedback.
    We have a local installation so not via a web service. We have a VPN connection between the client and the server.
    Can we assume that our installation works without Java components?
    How can we check if we are using Log4J or in other words does our Reflection version generally not use Java?

    Thanks for the feedback.

    Best regards Pascal

  • 0

    Good morning Kris

    Thank you for your feedback.
    We have a local installation so not via a web service. We have a VPN connection between the client and the server.
    Can we assume that our installation works without Java components?
    How can we check if we are using Log4J or in other words does our Reflection version generally not use Java?

    Thanks for the feedback.

    Best regards Pascal

  • 0   in reply to 

    Good day, Pascal.

    My understanding is that Log4j is a Java library and therefore this vulnerability affects only products that use or ship with Java. Reflection 2014 is a native Windows application and does not include this Java library.

    Other Reflection products do ship with Java, including Reflection Pro 2014 (includes X Server) and Reflection for the Web. So please check to ensure you're using the standard "Reflection 2014" product edition.

    We are following a standard set of security practices as we learn more about the Log4j issue and need to communicate findings to our customers. See https://www.microfocus.com/en-us/about/product-security for latest updates.

    Best regards,

    Kris Lall

  • 0 in reply to   

    Is there a non-canned comment response to this? I get it that MicroFocus is working on this, but it doesn't seem like the question was answered. 

    Is Reflection Desktop 17.0 SP1 affected or no? The exploit has been out for a while now. 

  • 0   in reply to 

    Hi Richard,

    Reflection Desktop is a family of product editions. If you're using the standard Reflection Desktop edition, then you're not affected by the Log4j vulnerability. Here is a list of editions and versions that are impacted:

    AFFECTED SOFTWARE VERSIONS:
    Reflection Desktop Pro (X Server component only) versions 17.0, 16.2, 16.1, 16.0 (X component version 5.1), Reflection Pro 2014 R1 (X component version 5.0)
    Reflection Desktop for X (X Server component only) versions 17.0, 16.2, 16.1, 16.0 (X component version 5.1), Reflection Pro 2014 R1 (X component version 5.0)
    InfoConnect Desktop Pro for Unisys with X (X Server component only) versions 17.0, 16.2, 16.1

    This information will also be available in the security bulletin that is scheduled to be published today.

    Sincerely,

    Kris Lall