Vulnerable Log4j jar file found in MDB install directory
search cancel

Vulnerable Log4j jar file found in MDB install directory

book

Article ID: 243850

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Security Scanners are flagging:

C:\Program Files\CA\SC\Mdb\Windows\lib\log4j-1.2.13.jar

As a vulnerable file after installing RU16

Additional old log4j-1.x files are:

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\mssql\lib\log4j-1.2.13.jar

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\oracle\lib\log4j-1.2.13.jar

Environment

Release : 17.3

Component : SDM - Vulnerability

Cause

This is an old version of log4j that needs to be updated. 

Resolution

C:\Program Files\CA\SC\Mdb\Windows\lib\log4j-1.2.13.jar

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\mssql\lib\log4j-1.2.13.jar

C:\Program Files (x86)\CA\Service Desk Manager\add-ons\mdb\oracle\lib\log4j-1.2.13.jar

are flagged as vulnerable by security scanners due to being old versions of Log4j.

RU16 updated the vast majority of the old log4j-1.x files, but the 3 files above remained.

SDM Engineering team has advised that these files will be updated in the next RU patch (RU17)

In the meantime, the above files can be deleted/moved.