Log4j jar file Vulnerability found in MDB install directory - Apache Log4j SEoL
Article ID: 243850
Updated On:
Products
Issue/Introduction
Security Scanners are flagging:
(Default Location)C:\Program Files\CA\SC\Mdb\Windows\lib\log4j-1.2.13.jar
As a vulnerable file after installing 17.3 RU16
Additional old log4j-1.x files are:
NX_ROOT\add-ons\mdb\mssql\lib\log4j-1.2.13.jar
NX_ROOT\add-ons\mdb\oracle\lib\log4j-1.2.13.jar
Environment
Release : 17.3, 17.4
Component : SDM - Vulnerability
Cause
This is an old version of log4j that needs to be updated in order to resolve the reported vulnerability.
Resolution
(Default Location)C:\Program Files\CA\SC\Mdb\Windows\lib\log4j-1.2.13.jar
NX_ROOT\add-ons\mdb\mssql\lib\log4j-1.2.13.jar
NX_ROOT\add-ons\mdb\oracle\lib\log4j-1.2.13.jar
are flagged as vulnerable by security scanners due to being old versions of Log4j.
RU16 updated the vast majority of the old log4j-1.x files, but the 3 files above remained.
In order to resolve this vulnerability we recommend upgrading to the 17.4 version of Service Desk Manager/Service Management
Additional Information
- If you upgraded 17.3 to 17.4, those jar files could be left over untouched. You can simply delete them.
- The resolution applies to address vulnerability plugin 182252 - Apache Log4j SEoL
- Upgrading to 17.4
Feedback
