We have upgraded the DU management server and Agents to 6.10.101 as per recommendation to overcome to log4j vulnerabilities.
However after the upgrade we still can see from commons-logging.jar under below mentioned path's from UVMS and Agent servers.
UVMS:
$UVMS_SERVER_INSTALL_DIR/app/jars/commons-logging.jar
$UNIVIEWER_INSTALL_DIR/jars/commons-logging.jar
$UNIVIEWER_INSTALL_DIR/webapps/univiewer/WEB-INF/lib/commons-logging.jar
$DUA_INSTALL_DIR/bin/bin_java/commons-logging.jar
Is this file used? Can it be removed or renamed? Any impact on the UVMS, Agent?
Release : 6.10.101
Component: DOLLAR UNIVERSE
The log4j library version should be 2.17 as mentioned in Third-party Software Ack document.
The commons-logging.jar you are referring is a Apache Commons Logging library and is an abstraction over the concrete implementation which uses the underlying present log4j version libraries, which are version 2.17.
The JAR's version you are referencing is as below
commons-logging
Whereas log4j version are as below
The log4J API version are as below
We don't find Dollar Universe vulnerable through commons-logging.jar
For vulnerability queries, please share the security scan report and CVE's against libraries/JARS as highlighted by your security scan.