Information from Simio regarding the Apache Log4j CVE-2021-44228 Vulnerability

Security researchers have discovered a critical security vulnerability, which is described here: NVD - CVE-2021-44228 (nist.gov).

Simio would like to assure our users that we are addressing the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam).   We have assessed our Simio products, including third party components, and our own internal infrastructure to check for vulnerability. 

In summary, the Simio products are not affected by this vulnerability.   This vulnerability exploits the Apache Log4J2 (Java) module version 2.14.1 or earlier. The Simio products - including the Simio Portal - are built upon IIS, .NET and C#, and do not use Apache, Java, or the Log4J2 software, and are therefore not affected by this vulnerability. Additionally, the Simio Portal product is an on-premises (intranet) solution and should not be configured to have outward (internet) facing ports.  While it is possible that customers could create user extensions that employ the log4j2 module, these are not part of the standard Simio product and we at Simio are not aware of any such extensions.

The Simio security team will continue to monitor the situation and address any potential vulnerabilities that are found in our internal infrastructure.  

If you have any questions, please do not hesitate to contact Simio support at support@simio.com.