DX Unified Infrastructure Management

Today a new version of the spectrumgtw probe was released, having log4j fixes. The documentation says the new version is for UIM 20.3. Just want to double-check - is it not for 20.4 as well? If not - will there be a 20.4 version?

as per
DX NetOps Spectrum and DX UIM Interoperability
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/DX-NetOps-Spectrum-and-DX-UIM-Interoperability/16504

Spectrumgtw probe - v8.69 is compatible with both 20.3.3 & 20.4
Original Message:
Sent: Nov 17, 2022 04:15 PM
From: JOAKIM EMANUELSSON
Subject: New spectrumgtw probe

Today a new version of the spectrumgtw probe was released, having log4j fixes. The documentation says the new version is for UIM 20.3. Just want to double-check - is it not for 20.4 as well? If not - will there be a 20.4 version?

Our Nessus scanner is still showing log4j vulnerabilities with the latest spectrumgtw probe.

Plugin Plugin Name
156032 Apache Log4j Unsupported Version Detection
156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
156860 Apache Log4j 1.x Multiple Vulnerabilities

For "Plugin Output:
Path : C:\Program Files\Nimsoft\probes\gateway\spectrumgtw\lib\log4j-1.2.17.jar
Installed version : 1.2.17

Anyone else reporting this?  This file was not replace with the update and I was informed it was not part of a security bulletin.

Thanks,

Larry

Original Message:
Sent: Nov 18, 2022 01:30 PM
From: David Michel
Subject: New spectrumgtw probe

as per
DX NetOps Spectrum and DX UIM Interoperability
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/DX-NetOps-Spectrum-and-DX-UIM-Interoperability/16504

Spectrumgtw probe - v8.69 is compatible with both 20.3.3 & 20.4
Original Message:
Sent: Nov 17, 2022 04:15 PM
From: JOAKIM EMANUELSSON
Subject: New spectrumgtw probe

Today a new version of the spectrumgtw probe was released, having log4j fixes. The documentation says the new version is for UIM 20.3. Just want to double-check - is it not for 20.4 as well? If not - will there be a 20.4 version?

Hi @Larry Fitzgerald, all,

year 2021 main log4j discussion was about log4j version 2 and therefore a statement like "was not part of a security bulletin" might be considered when relating to that only. However, log4j version 1 had it's end of software maintenance like 7 years ago (https://logging.apache.org/log4j/1.2/download.html) and has it's own bunch of security vulnerabilities, like the one mentioned by you.
Given the worldwide attention log4j got, it doesn't seem like a good idea to keep log4j version 1 in use specifically nor to claim having fixed "log4j vulnerabilities" while ignoring the old version.
A small variant could be "we're not using it anymore" but it's still on the disk, which would require the upgrade scripts to remove unused components anyway.
​​
just my 2 cents

regards,
Raphael
Original Message:
Sent: Dec 02, 2022 02:51 PM
From: Larry Fitzgerald
Subject: New spectrumgtw probe

Our Nessus scanner is still showing log4j vulnerabilities with the latest spectrumgtw probe.

Plugin Plugin Name
156032 Apache Log4j Unsupported Version Detection
156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
156860 Apache Log4j 1.x Multiple Vulnerabilities

For "Plugin Output:
Path : C:\Program Files\Nimsoft\probes\gateway\spectrumgtw\lib\log4j-1.2.17.jar
Installed version : 1.2.17

Anyone else reporting this?  This file was not replace with the update and I was informed it was not part of a security bulletin.

Thanks,

Larry

Original Message:
Sent: Nov 18, 2022 01:30 PM
From: David Michel
Subject: New spectrumgtw probe

as per
DX NetOps Spectrum and DX UIM Interoperability
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/DX-NetOps-Spectrum-and-DX-UIM-Interoperability/16504

Spectrumgtw probe - v8.69 is compatible with both 20.3.3 & 20.4
Original Message:
Sent: Nov 17, 2022 04:15 PM
From: JOAKIM EMANUELSSON
Subject: New spectrumgtw probe

Today a new version of the spectrumgtw probe was released, having log4j fixes. The documentation says the new version is for UIM 20.3. Just want to double-check - is it not for 20.4 as well? If not - will there be a 20.4 version?

Hi Raphael,

Appreciate the post.  A case has been escalated to Dev to get a response.

Thanks,

Larry
Original Message:
Sent: Dec 05, 2022 08:43 AM
From: Raphael Franck
Subject: New spectrumgtw probe

Hi @Larry Fitzgerald, all,

year 2021 main log4j discussion was about log4j version 2 and therefore a statement like "was not part of a security bulletin" might be considered when relating to that only. However, log4j version 1 had it's end of software maintenance like 7 years ago (https://logging.apache.org/log4j/1.2/download.html) and has it's own bunch of security vulnerabilities, like the one mentioned by you.
Given the worldwide attention log4j got, it doesn't seem like a good idea to keep log4j version 1 in use specifically nor to claim having fixed "log4j vulnerabilities" while ignoring the old version.
A small variant could be "we're not using it anymore" but it's still on the disk, which would require the upgrade scripts to remove unused components anyway.
​​
just my 2 cents

regards,
Raphael
Original Message:
Sent: Dec 02, 2022 02:51 PM
From: Larry Fitzgerald
Subject: New spectrumgtw probe

Our Nessus scanner is still showing log4j vulnerabilities with the latest spectrumgtw probe.

Plugin Plugin Name
156032 Apache Log4j Unsupported Version Detection
156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
156860 Apache Log4j 1.x Multiple Vulnerabilities

For "Plugin Output:
Path : C:\Program Files\Nimsoft\probes\gateway\spectrumgtw\lib\log4j-1.2.17.jar
Installed version : 1.2.17

Anyone else reporting this?  This file was not replace with the update and I was informed it was not part of a security bulletin.

Thanks,

Larry

Original Message:
Sent: Nov 18, 2022 01:30 PM
From: David Michel
Subject: New spectrumgtw probe

as per
DX NetOps Spectrum and DX UIM Interoperability
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/DX-NetOps-Spectrum-and-DX-UIM-Interoperability/16504

Spectrumgtw probe - v8.69 is compatible with both 20.3.3 & 20.4
Original Message:
Sent: Nov 17, 2022 04:15 PM
From: JOAKIM EMANUELSSON
Subject: New spectrumgtw probe

Today a new version of the spectrumgtw probe was released, having log4j fixes. The documentation says the new version is for UIM 20.3. Just want to double-check - is it not for 20.4 as well? If not - will there be a 20.4 version?