CA Performance Management - Log4j Vulnerability
Article ID: 249579
Updated On:
Products
Issue/Introduction
As per CA recommendation We have upgraded the CA NetOps to 21.2.12. Still the security scan is showing the log4j1.X Vulnerabilities. As per security team log4j1.X needs to be removed from system.
Following is the scan result:-
|
IP |
DNS |
QID |
Title |
Last Detected |
Results |
|
<IP> |
DC1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 11:19:29 |
/opt/CA/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
|
<IP> |
DA1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 12:07:04 |
/opt/IMDataAggregator/DA37/backup/apache-activemq/lib/optional/log4j-1.2.17.jar |
|
<IP> |
DA1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 12:07:04 |
/opt/IMDataAggregator/IMDataAggregator36/broker/apache-activemq-5.15.2/lib/optional/log4j-1.2.17.jar |
|
<IP> |
DA1.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 12:07:04 |
/opt/IMDataAggregator/broker/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar# |
|
<IP> |
DC2.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 10:31:20 |
/opt/IMDataCollector/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
|
<IP> |
DC3.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 13:30:40 |
/opt/IMDataCollector/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
|
<IP> |
DC4.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 09:31:10 |
/opt/IMDataCollector/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
|
<IP> |
DA2.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 11:58:34 |
/opt/CA/IMDataAggregator/Logs/archiveAggFiles/broker/apache-activemq-5.15.2/lib/optional/log4j-1.2.17.jar |
|
<IP> |
DA2.domain.com |
106032 |
EOL/Obsolete Software: Apache Log4j 1.X Detected |
2022-09-04 11:58:34 |
/opt/CA/IMDataAggregator/backup/apache-activemq/lib/optional/log4j-1.2.17.jar# |
Environment
DX NetOps : 21.2.x/22.2.x
OS : Linux
Cause
The paths to these files are either backup folders or old installation paths
Resolution
Remove the Log4J files from the old and backup folder paths. There won't be any issues with the product.
FYI...
There is no log4j vulnerability reported in the PM_22.2.x release.
Feedback
