Log4j Unsupported Version Detection Critical - Finding for log4j after upgrade to 21.2.6 or 21.2.8
search cancel

Log4j Unsupported Version Detection Critical - Finding for log4j after upgrade to 21.2.6 or 21.2.8


Article ID: 234707


Updated On:


CA Spectrum DX NetOps



  Path              : /spectrum/lib/log4j.jar

  Installed version : 1.2.8"         A logging library running on the remote host is no longer supported.   


"According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached its end of life prior to 2016.


Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities."          


"Upgrade to a version of Apache Log4j that is currently supported.


Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions."


Release : 21.2.x



The version indicated here is related to Visibrokers product shipped with DX Netops Spectrum.

Broadcom does not own this version and cannot update it without Visibroker.


Broadcom requires Visibroker to update this version of Log4J.

If debug options are to never be used, this JAR file can be deleted:



In a response from Visibroker on the topic:

Our Product Engineering team have reviewed these items as well.


This relates to the Log4J Chainsaw viewer. As this is not shipped with VisiBroker, VisiBroker is not impacted in any way.


CVE-2022-23302 & CVE-2022-23305

These relate to Log4J appenders not used by VisiBroker by default. By default, VisiBroker uses the Log4J File appender. As such, these vulnerabilities will only be relevant if the customer creates explicit configuration that causes these non-default appenders be used.



This relates to a SocketServer class, which is again not used by VisiBroker by default.


In short, none of the above vulnerabilities are relevant to VisiBroker out-of-the-box.  Additionally,  Log4J 2 requires a minimum JRE version of 1.7. As such, Log4J 2 support will require a significant update for customers running on older platforms. We are carefully monitoring the situation with this vulnerability ensuring that our customers are not impacting.  At this time, our CORBA solutions do not appear vulnerable from a standard configuration of our products.


Viskibroker has plans to release/ship updated version of Log4J in October 2022.

Additional Information

This logging is only used to activate CORBA tracing in Spectrum.  It is enabled from the OneClick side through tomcat/webapps/spectrum/META-INF/context.xml




There is also an entry on the SpectroSERVER side in the $SPECROOT/Jcorbarc file which is disabled by default


However, if debug is not to be used - this JAR file can be safely deleted.  It is only used for CORBA debug.