As per CA recommendation We have upgraded the CA NetOps to 21.2.12. Still the security scan is showing the log4j1.X Vulnerabilities. As per security team log4j1.X needs to be removed from system.
Following is the scan result:-
IP |
DNS |
QID |
Title |
Last Detected |
Results |
<IP> |
DC1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 11:19:29 |
/opt/CA/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
<IP> |
DA1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 12:07:04 |
/opt/IMDataAggregator/DA37/backup/apache-activemq/lib/optional/log4j-1.2.17.jar |
<IP> |
DA1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 12:07:04 |
/opt/IMDataAggregator/IMDataAggregator36/broker/apache-activemq-5.15.2/lib/optional/log4j-1.2.17.jar |
<IP> |
DA1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 12:07:04 |
/opt/IMDataAggregator/broker/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar# |
<IP> |
DC2.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 10:31:20 |
/opt/IMDataCollector/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
<IP> |
DC3.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 13:30:40 |
/opt/IMDataCollector/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
<IP> |
DC4.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 09:31:10 |
/opt/IMDataCollector/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
<IP> |
DA2.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 11:58:34 |
/opt/CA/IMDataAggregator/Logs/archiveAggFiles/broker/apache-activemq-5.15.2/lib/optional/log4j-1.2.17.jar |
<IP> |
DA2.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 11:58:34 |
/opt/CA/IMDataAggregator/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
DX NetOps : 21.2.x/22.2.x
OS : Linux
The paths to these files are either backup folders or old installation paths
Remove the Log4J files from the old and backup folder paths. There won't be any issues with the product.
FYI...
There is no log4j vulnerability reported in the PM_22.2.x release.