What about the log4j in discovery_agent. During our security scan they have found discovery_agent also as risk. Below is what our security team found:
######################
Plugin Output:
Path : D:\Program Files (x86)\Nimsoft\probes\service\discovery_agent\lib\log4j-1.2.17.jar
Installed version : 1.2.17
Fixed version : 2.16.0
A package installed on the remote host is affected by a remote code execution vulnerability. |
The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
###########################
Original Message:
Sent: Dec 20, 2021 09:09 AM
From: Nijin K
Subject: CVE-2021-44228: Log4j Vulnerability UIM impact?
Hi all
Just got updated that log4j version2.16 is also vulnerable so was questioned if uim uses 2.16 version or not if yes where what would be remediation
Please suggest
Original Message:
Sent: Dec 17, 2021 04:13 AM
From: Joachim Stenhjem
Subject: CVE-2021-44228: Log4j Vulnerability UIM impact?
Hi
The vulnerability is known to be present in 2.0 <= Apache log4j <= 2.15.0.
I find traces of log4J also in other folders than mentioned in the KB
What about these:
- ./c/buildomatic/conf_source/iePro/lib/log4j-core-2.12.1.jar
- ./c/buildomatic/install_resources/war/jasperserver-pro/WEB-INF/lib/log4j-core-2.12.1.jar
- ./c/buildomatic/target/log4j-core-2.11.2.jar
- ./probes/service/wasp/webapps/cabijs/WEB-INF/lib/log4j-core-2.12.1.jar
- ./probes/service/wasp/webapps/uimapi/WEB-INF/lib/log4j-core-2.7.jar
1-3 are probably related to the cabi install prosess. Can the folders be removed after installation?
As a quick step I have removed the JNDILookUp.class where found.
What's the official response?
------------------------------
[JobTitle]
[CompanyName].com
[Country]
Original Message:
Sent: Dec 13, 2021 01:22 PM
From: Stephen Danseglio
Subject: CVE-2021-44228: Log4j Vulnerability UIM impact?
Hi David,
The hotfixes for log4j vulnerability issue are now available here:
https://support.broadcom.com/download-center/solution-detail.html?aparNo=LU03862&os=MULTI-PLATFORM
The KB Article has also been updated with this link.
Steve
------------------------------
Support Engineer
Broadcom
US
Original Message:
Sent: Dec 13, 2021 01:18 PM
From: David Fugate
Subject: CVE-2021-44228: Log4j Vulnerability UIM impact?
Followed the KB article, and went through the steps for ADE, baseline_engine, and prediction_engine. Problem we ran into is, the JNDILookup.class file isn't there to delete; on any device where the probes are deployed. What do we do if this file isn't there to delete? Is this a problem?
Original Message:
Sent: Dec 13, 2021 07:15 AM
From: Nick Barlow
Subject: CVE-2021-44228: Log4j Vulnerability UIM impact?
Are discovery_agent/server, topology_agent not affected ?
Original Message:
Sent: Dec 12, 2021 10:00 AM
From: TaeHyun Kim
Subject: CVE-2021-44228: Log4j Vulnerability UIM impact?
Hi All
Solved.
Thank you.