SOLVED - Critical Log4J vulnerability in Firecontrol install

Hello all.
The IT department at the company I work for had an urgent message for me over Christmas that my computer has the log4j files on it. They instructed me to uninstall Firecontrol as this was a part of the install of that software. I found that there was a new 21.1.4 beta update, so I installed that, and the same log4j files were in that install too. Have others found this on their machines? Is there a fix? I can’t use my machine without the Firecontrol, but I can’t have a critical exploit log4j on my computer either.

Thanks,
Dan

Searched my computer and it also occurs in an Arduino folder as well as Siemens Solid Edge…

Yes. It was in our Arduino installs too, but Arduino issued a update to correct it.

Our development team is looking into this and we should be able to release a patched log4J version of FireControl soon.

hey Dan I’m no computer guy so can you explain it a bit more? is this something that affects our computers?

Hi Joe103. I’m not a computer geek either, but from what I was told from our IT security guys, log4j is in all kinds of programs and websites. It is/was a legit program. It’s some sort of app used in Java. I guess the bad guys figured out a way to use log4j to put bad stuff on your computer or steal info. I don’t know for sure. When it was being described to me, they might as well been speaking chinese because I didn’t understand most of what they were saying. :woozy_face:
Tech support from Langmuir did get back to me and said they are working on the fix and it will be available soon.
My company wouldn’t let me do it, but if I had a Crossfire at home, I’d just disconnect the computer from the internet until Langmuir has an update.

Thanks Dan, I did google it and I didn’t have any idea what it said other then it was not a good thing! I will shut off the internet on it till Langmuir gets this figured out.

FireControl 21.1.4 installers on our site have now been updated with the patched log4J library. We are currently using Log4J v2.17.1. See patch notes here for anyone technically inclined: Log4j – Apache Log4j Security Vulnerabilities

As FireControl does not function as a server it is unlikely there is any risk to running older versions. That said we encourage everyone to update.

No worries gang! Thanks for the update…

If you never connect the computer to the internet then you are safe.

FYI @langmuirsystems . Just tried to run FireControl after installing the updated version (compatibility version). FireControl hangs at the splash screen. Reverted back to the previous version for now.

There is an issue with these installers and they have been rolled back on the server as well. Will be updating this thread when this log4j fix is once again deployed.

This issue has been resolved once again and the new functional log4j-patched installers have been uploaded.

Thank you for your patience!

@bobdobqb

1 Like

Thanks a bunch!

Will give it another shot.

On the download page for Windows 10 is version 20.6.2. Is there a new version for Win10 or do we download Windows11 version? Thanks

A little more info on the name of the download and where it is found please. are we removing anything? Thanks!

I’m using the new version of 21.1.4 on a W10 machine. Works fine for me. I just noticed that it is identified as a W11 version but no problems cutting with it today so…

Guess that means I can upgrade to W11 now :laughing:

Available from the support downloads page Joe. I don’t think I had to uninstall the previous version… I mean that was like 4 hours ago!! :grin:

I was looking at the support/download page (Downloads | Langmuir Systems) for Crossfire Pro Win10 and the version listed is for 20.6.2 not 21.1.4. So is it ok to install the 21.1.4 version for Win11 on a Win10 PC.

Thanks Bob, I will go investigate!
@langmuirsystems Is this for windows 11? I have a free upgrade on this new pc but do not want to update to 11 if it is not for it, please let me knowAsap! Thanks