Log4j vulnerability for Autosys 12.1 - log4j 2.17 files found but they should be 2.18
search cancel

Log4j vulnerability for Autosys 12.1 - log4j 2.17 files found but they should be 2.18

book

Article ID: 261226

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

Our security team has reported they found log4j 2.17 files found in AutoSys 12.1.

The documentation claims AutoSys 12.1 should have shipped with log4j 2.18.

 

Environment

Release : 12.1

Resolution

For AutoSys, if you are at 12.1 then the files in place should already be at 2.18 log4j
but we have noticed that mistakenly the wrong version of some files were included in the 12.1 media.
They should have been 2.18 but instead they were 2.17
.
Our development team has stated that the file(s) can be replaced with the 2.18 version without issue.

log4j-api.jar and log4j-core.jar in 

$AUTOSYS/lib/
and
$AUTOUSER/webserver/webapps/AEWS/WEB-INF/lib/

are 2.17 and should have been 2.18.
Please replace them with copies of the two files from 
$AUTOROOT/SystemAgent/WA_AGENT/jars/ext
where their versions are 2.18