Security Advisory
Log4j Vulnerability
Executive Summary:
A remote code execution (RCE) software vulnerability was discovered in the popular open-source Apache Log4j (versions 2.0 to 2.14.1) logging library on December 9. The vulnerability is known to be actively exploited in the wild and has been designated CVE-2021-44228 by MITRE. It is also known as Log4Shell and has been given criticality rating of 10 (on the scale of 1 - 10, 10 being worst). This library is used across many Java applications and the Apache Software Foundation has released an emergency patch (Log4j v2.16.0) to correct this vulnerability.
Cadence Software Affected*:
Product/Service |
Vulnerable Version(s) |
Fixed Version(s) |
Availability |
Temp Workaround |
Allegro/OrCAD SPB |
17.2 |
17.2 ISR 80 |
Dec. 23, 2021 |
Please contact your AE |
Allegro/OrCAD SPB |
17.4 |
17.4 ISR 25 |
Dec. 23, 2021 |
Please contact your AE |
SYSVIP |
SPA |
SYSVIP Nightly Build under validation |
Target: Dec. 20, 2021 |
Tarball on vipportal/contact Cadence AE |
Cadence Software Not Affected*:
Product Family |
Product |
Impacted |
Notes |
| Databahn | No | ||
Tensilica |
TIP XPG |
No |
|
Tensilica |
Log4xtensa |
No |
|
Tensilica |
Xplorer IDE |
No |
|
Tensilica |
XPG Application Server |
No |
|
Tensilica |
XUM |
No |
|
Tensilica |
OCD Manager |
No |
|
Genus |
|
No |
|
Conformal |
|
No |
|
Modus |
|
No |
|
Stratus |
|
No |
|
Joules |
|
No |
|
Innovus |
|
No |
|
Tempus |
|
No |
|
Liberate |
|
No |
|
Quantus |
|
No |
|
PVS |
|
No |
|
Pegasus |
|
No |
|
Cadence Cerebrus |
|
No |
|
Integrity 3D-IC |
|
No |
|
Virtuoso |
|
No |
|
Spectre |
|
No |
|
Xcelium, Xcelium ML |
|
No |
1 using version of log4j not impacted by this vulnerability |
Incisive |
|
No |
1 using version of log4j not impacted by this vulnerability |
Jasper |
|
No1 |
1 using version of log4j not impacted by this vulnerability |
| VIPCAT | No | ||
vManager |
|
No1 |
1 using version of log4j not impacted by this vulnerability |
Indago |
|
No1 |
1 using version of log4j not impacted by this vulnerability |
Perspec |
|
No1 |
1 using version of log4j not impacted by this vulnerability |
Specman |
|
No1 |
1 using version of log4j not impacted by this vulnerability |
IXCOM |
|
No |
|
HDLICE |
|
No |
|
VXE/WXE |
|
No2 |
2Cadence product unaffected, Waiting on feedback from Mellanox with regard to IB driver |
PTM |
|
No2 |
2Cadence product unaffected, Waiting on feedback from Mellanox with regard to IB driver |
PDAPP/ AVIP |
|
No1 |
1 using version of log4j not impacted by this vulnerability |
Helium |
|
No1 |
1 using version of log4j not impacted by this vulnerability |
MMP |
|
No |
|
*Tables will be updated when we have confirmation.
What is Cadence doing?
Our customers are our top priority and we are dedicated to helping you protect against this vulnerability. Cadence is actively evaluating all of our supported products and services to identify and update vulnerable versions of our software. There are only three supported Cadence products known to be affected, and Cadence has made available updates or workarounds to address the issue in each product.
What can you do?
Security updates which include the updated version of Log4j are being made a priority and will be made available on https://downloads.cadence.com.