Vulnerable log4j files found after upgrading to 14.5 CU5
Article ID: 261825
Updated On:
Products
Issue/Introduction
After upgrading to 14.5 CU5, there are some vulnerable log4j files that can still be found on the installation folder, as shown in this list:
Path : C:\Program Files (x86)\CA\SC\Windows\lib\log4j-1.2.13.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\SC\Windows\mdb_cms_barracuda_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\SC\Windows\mdb_ITCM_oracle_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\mdb_install\mdb_cms_barracuda_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\mdb_install\mdb_ITCM_oracle_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\mdb_install\lib\log4j-1.2.13.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\lib\log4j-1.2.8.jar
Installed version : 1.2.8
Path : C:\Program Files (x86)\CA\DSM\Bin\ral\lib\log4j-1.2.17.jar
Installed version : 1.2.17
Path : C:\Program Files (x86)\CA\DSM\Bin\Telemetry\jars\log4j-1.2.17.jar
Installed version : 1.2.17
Environment
Client Automation 14.5 CU5
Resolution
The vulnerable jars from ..SC\Windows\lib, ..DSM\database\lib and ..DSM\database\mdb_install\lib folders can be deleted, these files are not required after the DM is installed.
The files inside ..CA\DSM\Bin\ral\lib\ are not used by the DM either, these file are related to a feature called "Repository Access Layer", used for 'debian' package installation, so it can be deleted too.
The jar inside ..CA\DSM\Bin\Telemetry\folder can be deleted only if a newer version of the log4j can be found. On this example, the old vulnerable log4j (1.2.17) is found along with 2 others with a newer release (2.17.1):
On this case, the vulnerable log4j file can be deleted.
Feedback
