After installing 14.0.2, still getting log4j errors on vulnerability scan

book

Article ID: 241997

calendar_today

Updated On:

Products

CA Harvest Software Change Manager

Issue/Introduction

I was able to download the link and upgrade the product, however it appears our scanner still finds the log4j vulnerable files on the server. Please advise.

Attached the vulnerablies that are pertaining to LOG4J on our server.
The specific file complaints are the following:

Path : C:\app\client\harvest\product\12.2.0\client_1\sqldeveloper\sqldeveloper\lib\log4j-1.2.13.jar
Installed version : 1.2.13

Path : C:\Users\harvestuser\.eclipse\com.ca.harvest.workbench.workbenchProduct_13.0.3.152_1820817221_win32_win32_x86_64\configuration\org.eclipse.osgi\4\0\.cp\log4j-1.2.12.jar
Installed version : 1.2.12

Path : C:\Users\harvestuser\.eclipse\com.ca.harvest.workbench.workbenchProduct_14.0.0.369_1820817221_win32_win32_x86_64\configuration\org.eclipse.osgi\4\0\.cp\log4j-1.2.12.jar
Installed version : 1.2.12

Environment

Release : 14.0

Component : CA HARVEST SCM GUI/Harweb

Resolution

The first one is related to the Oracle client:

Path : C:\app\client\harvest\product\12.2.0\client_1\sqldeveloper\sqldeveloper\lib\log4j-1.2.13.jar
Installed version : 1.2.13

Consult Oracle documentation to resolve this one, or if you don’t use sqldeveloper at all it is safe to delete the “C:\app\client\harvest\product\12.2.0\client_1\sqldeveloper” folder.

The other two appear to be hold-overs from previous versions of Harvest on the machine.

Path : C:\Users\harvestuser\.eclipse\com.ca.harvest.workbench.workbenchProduct_13.0.3.152_1820817221_win32_win32_x86_64\configuration\org.eclipse.osgi\4\0\.cp\log4j-1.2.12.jar
Installed version : 1.2.12

Path : C:\Users\harvestuser\.eclipse\com.ca.harvest.workbench.workbenchProduct_14.0.0.369_1820817221_win32_win32_x86_64\configuration\org.eclipse.osgi\4\0\.cp\log4j-1.2.12.jar
Installed version : 1.2.12

 To eliminate these, close down Workbench and then delete the “C:\Users\harvestuser\.eclipse” folder.  Then restart Workbench.  It will create a new copy of that folder with only SCM v14.0.2 files in it.