search cancel

wasp vulnerability log4j-1.2.17.jar

book

Article ID: 252929

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We have updated UIM to version 20.4 and we still detected this vulnerability on the Primary hub: 

   /opt/nimsoft/probes/service/Wasp/lib/services/log4j-1.2.17.jar

The current wasp version is 20.44.

Environment

  • Release: 20.4
  • wasp 20.4.4

Resolution

log4j 2.17.1 is not vulnerable. That is the reason we have upgraded all webapps with the log4j version 2.17.1. 

I'm not sure why your scan still shows the old version of log4j that is-> 1.2.17.

The log4j-1.2-api-2.17.1.jar is expected. This is a "compatibility bridge" between old (vulnerable) log4j 1.2 and new (not vulnerable) 2.17.1.

It itself is part of 2.17.1 version and is safe/not vulnerable.

If you have this log4j1.2.17.jar on your system then this is probably a 'left over' artifact from a previous install/upgrade and it should be ok to delete.

Save a copy to your desktop or another safe place just for safekeeping then delete the log4j-1.2.17.jar under-> /opt/nimsoft/probes/service/Wasp/lib/services

Additional Information

Resolution confirmed.