Vulnerable log4j files
Article ID: 261825
Updated On:
Products
Issue/Introduction
After upgrading to Client Automation 14.5 CU5 or 14.6, there are some vulnerable log4j files that can still be found, as shown in the below list:
Path : C:\Program Files (x86)\CA\SC\Windows\lib\log4j-1.2.13.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\SC\Windows\mdb_cms_barracuda_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\SC\Windows\mdb_ITCM_oracle_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\mdb_install\mdb_cms_barracuda_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\mdb_install\mdb_ITCM_oracle_Windows.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\mdb_install\lib\log4j-1.2.13.jar
Installed version : 1.2.13
Path : C:\Program Files (x86)\CA\DSM\database\lib\log4j-1.2.8.jar
Installed version : 1.2.8
Path : C:\Program Files (x86)\CA\DSM\Bin\ral\lib\log4j-1.2.17.jar
Installed version : 1.2.17
Path : C:\Program Files (x86)\CA\DSM\Bin\Telemetry\jars\log4j-1.2.17.jar
Installed version : 1.2.17
Environment
Client Automation 14.5 CU5 and 14.6
Resolution
The vulnerable jars from ..SC\Windows\lib, ..DSM\database\lib and ..DSM\database\mdb_install\lib folders can be deleted as these files are not required after the DM is installed.
The files inside ..CA\DSM\Bin\ral\lib\ are not used by the DM either. These file are related to a feature called "Repository Access Layer", used for 'debian' package installation.
The jar inside ..CA\DSM\Bin\Telemetry\folder can be deleted only if a newer version of the log4j can be found. On this example, the old vulnerable log4j (1.2.17) is found along with 2 others with a newer release (2.17.1):
On this case, the vulnerable log4j file can be deleted.
Additional Information
NOTE: On a fresh installation of Client automation 14.6, there is no CA\DSM\Bin\ral directory anymore
Feedback
