log4j vulnerability in uninstaller.jar.
search cancel

log4j vulnerability in uninstaller.jar.

book

Article ID: 396350

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Scan reported log4j vulnerability in 23.4.3 uninstaller.jar.   (Also detected on 23.4.2 and prior versions).

 

Apache Log4j SEoL (<= 1.x)

Misc.

Critical

##.##.###

example1

UIM

Plugin Output:


  Path                                   : D:\Program Files (x86)\Nimsoft\_ca_uimserver_installation\uninstaller.jar
  Installed version                      : 1.2.17-cloudera1
  Security End of Life                   : August 4, 2015
  Time since Security End of Life (Est.) : >= 9 years

Environment

Release: DX UIM 23.4

 

Resolution

The vulnerable version of log4j here is only included in the uninstaller.jar which is only executed during uninstallation of the product.

It is not "live" and not associated with any actively running component.

Therefore, the vulnerability cannot actually be accessed or exploited.

However, it may still trigger vulnerability scans or security audits.

This has been resolved in DX UIM 23.4.4 and higher.  Upgrade to this version to resolve the issue.

Additional Information

Powered by Wolken Software