search cancel

Vulnerable Log4j jar file found in MDB install directory

book

Article ID: 243850

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Security Scanners are flagging:

C:\Program Files\CA\SC\Mdb\Windows\lib\log4j-1.2.13.jar

As a vulnerable file after installing RU16

Additional old log4j-1.x files are:

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\mssql\lib\log4j-1.2.13.jar

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\oracle\lib\log4j-1.2.13.jar

Environment

Release : 17.3

Component : SDM - Vulnerability

Cause

This is an old version of log4j that needs to be updated. 

Resolution

C:\Program Files\CA\SC\Mdb\Windows\lib\log4j-1.2.13.jar

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\mssql\lib\log4j-1.2.13.jar

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\oracle\lib\log4j-1.2.13.jar

are flagged as vulnerable by security scanners due to being old versions of Log4j.

Opened DE64413 to have L2 update this file.

RU16 updated the vast majority of the old log4j-1.x files, but the 3 files above remained.

L2 has advised that these files will be updated in the next RU patch (RU17)

In the mean time, the above files can be deleted/moved.