Log4j Vulnerability - how can we update Log4j within MindManager?

Frank L. shared this question 22 months ago
Discussion Open

Hi - we use your product at our company and our security monitoring tool has found a vulnerability that is associated with Mind Manager app.

The vulnerability is that Mind Manager users Log4j and the version it uses is 1.2.13 which has reached End of Life in 2015 and is no longer supported.

Our security tool found the following:

Vulnerable software installed: Apache Log4j 1.2.13 (/System/Volumes/Data/Volumes/MindManager/MindManager.app/Contents/Resources/LocalTransformations/lib/log4j-1.2.13.jar)

Vulnerable software installed: Apache Log4j 1.2.13 (/Applications/MindManager.app/Contents/Resources/LocalTransformations/lib/log4j-1.2.13.jar)

Vulnerable software installed: Apache Log4j 1.2.13 (/System/Volumes/Data/Applications/MindManager.app/Contents/Resources/LocalTransformations/lib/log4j-1.2.13.jar)

Vulnerable software installed: Apache Log4j 1.2.13 (/Volumes/MindManager/MindManager.app/Contents/Resources/LocalTransformations/lib/log4j-1.2.13.jar)

We thought upgrading Mind Manager to the latest version would resolved this but it did not.

Please patch Mind Manager with Log4j 2.x to obtain security fixes. You can find more info here.

https://logging.apache.org/log4j/2.x/security.html

https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/

---