wasp vulnerability log4j-1.2.17.jar
search cancel

wasp vulnerability log4j-1.2.17.jar

book

Article ID: 252929

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

We have updated UIM to version 20.4 and we still detected this vulnerability on the Primary hub: 

   /opt/nimsoft/probes/service/wasp/lib/services/log4j-1.2.17.jar

The current wasp version is 20.44.

Environment

  • Release: 20.4
  • wasp 20.4.4

Resolution

log4j 2.17.1 is not vulnerable. That is the reason we have upgraded all webapps with the log4j version 2.17.1. 

It is uncertain as to why your scan still shows the old version of log4j that is-> 1.2.17

The log4j-1.2-api-2.17.1.jar is expected. This is a "compatibility bridge" between old (vulnerable) log4j 1.2 and new (not vulnerable) 2.17.1.

It itself is part of the 2.17.1 version and is safe/not vulnerable.

If you have this log4j1.2.17.jar on your system then this is probably a 'left over' artifact from a previous install/upgrade and it should be ok to delete.

Save a copy to your desktop or another safe place just for safekeeping.

Deactivate the wasp probe and wait for the port and PID to drop.

Then delete the log4j-1.2.17.jar under-> /opt/nimsoft/probes/service/wasp/lib/services

Additional Information

In every UIM GA and CU release, we upgrade third-party components to address known vulnerabilities. 

As part of the UIM 23.4 GA release, all log4j* components were upgraded to version 2.20.0 to mitigate security risks.

However, if customers notice older versions, such as log4j* 1.2.7, are still present in the installation directories, these are likely stale/leftovers from previous installations that were not properly cleaned up during the upgrade process. These outdated files are no longer used and can be safely removed. 

To clean up the files:

  1. Deactivate the wasp probe

  2. Wait for the wasp port and PID to disappear

  3. Navigate to the physical location on the filesystem where the old/stale log4j* files reside

  4. Delete the old log4j* 1.2.7 files manually

  5. Activate the wasp probe

Doing this should not impact the current installation, and these old files will not reappear in future upgrades.

Broader search:

Search the wasp folder on the OC robot for:

  • log4j-1.2*.jar

  • 1.2.17

  • Check the 'old/older' file dates.

  • The LATEST wasp packages as of CU3 are v2.20

  • During or after upgrade, when the installer was trying to delete outdated/files from the wasp folder, we may not have successfully deleted/replaced the files if the wasp folder/files were open.

    • Its the same when youre trying to manually delete log4j files due to vulnerabilities. The wasp must be completely stopped first.

For any pending upgrade see:
 
 
Upgrade of 23.4.0 directly to 23.4.3 or to 23.4.4 IS supported.

 
CU1, CU2, and CU3 etc. files can be downloaded from here:
 
 
Important: For CU3, use: nas 23.4.3.2
 
Save the above links in your browser.

Resolution confirmed.

Powered by Wolken Software