Vulnerability : Apache Log4J - end of life (<-1.x)
Article ID: 274856
Updated On:
Products
CA Application Performance Management (APM / Wily / Introscope)
Issue/Introduction
Hi,
Yes, the log4j has came back around from last year. Within Broadcom APM enterprise managers, they have a Log4J library that when scanned is version <=1.x. These versions are "EOL" end of life.
https://www.tenable.com/plugins/nessus/182252
Last time we visited this topic Broadcom published the following:
https://knowledge.broadcom.com/external/article?articleId=233745
What is the response for version 10.7 with Log4J <=1.x?
Environment
Release : 10.7.0
Resolution
1) 10.7 is End of Life 12-31-23. In two months. We can do a case(s) on upgrade if required . It still has Log4J . Upgrading to 10.8,2x.x,2x.x (and SAAS) will have a log4j-free environment
2) On the Agent side , there is no more Log 4j
Added Logback Support
Logging has moved from log4j framework to the logback framework for compliance reasons. Frequently used properties are exposed via IntroscopeAgent.profile and advanced configuration is maintained in agent-logback-configuration.xml. For more information, see Logging Using Logback and Logging Configuration.
3) In 10.8 and 2x.x . there is no Log4j
Uses Logback for Logging
Logging now uses the Logback library. The configuration is stored in logback-ws.xml, logback-wv.xml, and config/logback-em.xml. Log4j is not used for logging anymore
Added Logback Support
Logging now uses the Logback library. The logback framework is mainly configured through the YAML configuration file. New generic properties are added to the ModuleFeedbackChannel API to set basic settings, such as logging level and log directory. For more information, see Logging Using Logback and Logging Configuration.
Feedback
Yes
No
Powered by
