DX Unified Infrastructure Management

  • Private Community
 View Only

 Listdesigner - log4j-1.2.17.jar - UIM 20.4 CU10

Jump to  Best Answer
Matthias Gruber's profile image
Matthias Gruber posted Aug 13, 2024 02:11 AM

Hi!

As stated in UIM 20.4 CU8 and CU9 wasp listdesigner\WEB-INF\lib\log4j-1.2.17.jar Vulnerability.

Broadcom remove preview
UIM 20.4 CU8 and CU9 wasp listdesigner\WEB-INF\lib\log4j-1.2.17.jar Vulnerability.
DX Unified Infrastructure Management (Nimsoft / UIM) Issue/Introduction Security team did a scan on UIM servers and found vulnerabilities in log4j on the below paths. Plugin Output: Path: C:\Program Files (x86)\Nimsoft\probes\service\wasp\webapps\listdesigner\WEB-INF\lib\log4j-1.2.17.jar Installed version: 1.2.17 Environment Release: 20.4 wasp: 20.48 UIM 20.4 CU8 UIM 20.4 CU9 Resolution This is a known issue that is addressed and the fix is available in UIM 23.4 and 20.4 CU10.
View this on Broadcom >

 

There should be a fix in 20.4 CU10 for this. Personally I expected that the jar will be removed, so our Security-Scan will not find it anymore.

Unfortunately, the file is still there, and reported as major flaw.

In the Readme of CU10 I do not find any notice about it. The KB-Article is Updated on 8-6-2024, therefore it seems to be fixed?

Can I securely remove the file?

Cheers
Matthias

Franklin Ravi D'souza's profile image
Broadcom Employee Franklin Ravi D'souza posted Aug 13, 2024 04:08 AM  Best Answer

Hi Matthias,

Please confirm if the listdesigner webapp is correctly updated i.e uim_listdesigner - webapp:20.50 as that the version in 20.4 CU10 

https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99112028&os=MULTI-PLATFORM

I dont  see log4j-1.2.17.jar in my test env in 20.4 CU10 in the listdesigner webapp

You can try to redeploy ump_listdesigner 20.50 and see if it removes the jar file .

If still present then can take a backup and remove  it 

Regards,

Frank

Matthias Gruber's profile image
Matthias Gruber posted Aug 13, 2024 04:23 AM

Hi!

Yes it is actual:

I will do as mentioned and post the results

cheers
Matthias

Matthias Gruber's profile image
Matthias Gruber posted Aug 13, 2024 06:04 AM

Hi!

I can aknowledge, that a redeploy made it, now the log4j 1.2.17jar is gone.

Interessting...shouldnt this be happened by the Update-Process, however, my security-folks is satisfied now :-)

cheers
Matthias