Log4j Status

Perforce Status on Log4j

Please refer to the official status page for Log4j vulnerability concerning all Perforce products, including Zend Server and ZendPHP.

Zend Server, ZendPHP, and Log4j

Zend Server and ZendPHP are not compiled against, or directly consuming the Log4j library, which is why we can indicate that there is no direct risk for our products installed on your servers.

There are two specific software components, Zend JavaBridge and PHP-OCI8, extending Zend/PHP functionality, you might be using now on your servers. We recommend that:

1. If you have Zend JavaBridge installed, which is an Enterprise edition feature for connecting PHP with (legacy) Java Applications, you should audit any Java application on your server for Log4j usage, regardless of being accessed via the JavaBridge or not. Please note, that Zend JavaBridge is not installed by default.
2. If you are connecting to an Oracle database using the PHP OCI extension, you should audit the Oracle Client connector configuration for Log4j usage, as that is one option the client connector application can use for logging.

For any questions regarding the above, and any other concerns you still have, please feel free to contact us. 

Java-based applications are using Log4j as their logging utility and are vulnerable to this CVE.

IBM i and Log4j

For our IBM i customers, if you are using the Zend Server JavaBridge, then please make sure you have the latest PTF installed for the Java LP packages.

Related Reading:

• Blog: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)
• Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)
• Blog: An update on the Apache Log4j CVE-2021-44228 vulnerability

IBM Remedy, Upgrade to the latest version of Log4j (2.15.0 or later), available from the Apache website.