Log4j vulnerability via commons-logging.jar after upgrading to 6.10.101
search cancel

Log4j vulnerability via commons-logging.jar after upgrading to 6.10.101

book

Article ID: 261314

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

We have upgraded the DU management server and Agents to 6.10.101 as per recommendation to overcome to log4j vulnerabilities.

However after the upgrade we still can see from commons-logging.jar under below mentioned path's from UVMS and Agent servers.

UVMS:

$UVMS_SERVER_INSTALL_DIR/app/jars/commons-logging.jar

$UNIVIEWER_INSTALL_DIR/jars/commons-logging.jar

$UNIVIEWER_INSTALL_DIR/webapps/univiewer/WEB-INF/lib/commons-logging.jar

$DUA_INSTALL_DIR/bin/bin_java/commons-logging.jar

Is this file used? Can it be removed or renamed? Any impact on the UVMS, Agent?

Environment

Release : 6.10.101

Component: DOLLAR UNIVERSE

Resolution

The log4j library version should be 2.17 as mentioned in Third-party Software Ack document.

The commons-logging.jar you are referring is a Apache Commons Logging library and is an abstraction over the concrete implementation which uses the underlying present log4j version libraries, which are version 2.17.

The JAR's version you are referencing is as below

commons-logging

Whereas log4j version are as below

The log4J API version are as below

We don't find Dollar Universe vulnerable through commons-logging.jar

Additional Information

For vulnerability queries, please share the security scan report and CVE's against libraries/JARS as highlighted by your security scan