search cancel

ump_cabi v4.25 - jrs-rest-java-client-6.1.5-jar-with-dependencies.jar - log4j module with version : 1.2.17

book

Article ID: 242049

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

During a recent scan we indented the following concern within the latest CABI environment:

nimsoft\probes\service\wasp\webapps\cabi\web-inf\lib\jrs-rest-java-client-6.1.5-jar-with-dependencies.jar installed version : 1.2.17

Inside jrs-rest-java-client-6.1.5-jar-with-dependencies.jar there is a log4j module with version : 1.2.17

Remediation - upgrade to a version of apache log4j that is currently supported.  upgrading to the latest versions for apache log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of log4j is discovered. refer tohttps://logging.apache.org/log4j/2.x/security.html for the latest versions.

Environment

Release : 20.4

Component : UIM - CABI

Resolution

The Vulnerabilities with log4j 2.x were completely remediated. The file pointed out now is related to log4j 1.x, which we are intending to remediate as well in the next cycle of cumulative updates.
 
Following is the excerpt from the link (https://logging.apache.org/log4j/2.x/security.html) shared by the client: 
  1. CVE-2021-44832:
    • Log4j 1.x mitigation
      • Log4j 1.x is not impacted by this vulnerability.
  2. CVE-2021-45105:
    • Log4j 1.x mitigation
      • Log4j 1.x is not impacted by this vulnerability.
  3. CVE-2021-45046:
    • Log4j 1.x mitigation
      • Log4j 1.x is not impacted by this vulnerability.
  4. CVE-2021-44228:
    • Log4j 1.x mitigation
      • Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

CU3 is expected to the GA by the end of June.