Steps to protect ADAudit Plus from Log4j vulnerabilities

Steps to protect ADAudit Plus from Log4j vulnerabilities

This post has been updated on 31/12/2021.
Dear users,
 
3 high severity vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105), impacting multiple versions of Apache Log4j utility, were disclosed recently. We have found no evidence of any successful exploitation in ADAudit Plus as of now. However, the affected Log4j version is used in ADAudit Plus in the DataEngine service in build 6000 and above, so we strongly recommend all our customers running build 6000 and above to follow the below steps to protect ADAudit Plus from the vulnerabilities.
 
Note: This procedure is applicable for all 3 vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105).
 
1. Stop the ManageEngine ADAuditPlus service (go to Windows > Services > Right-click on ManageEngine ADAudit Plus > Stop) and wait till it stops.
 
2. Stopping the ManageEngine ADAudit Plus service should automatically stop the ManageEngine ADAudit Plus DataEngine service. In case the ManageEngine ADAudit Plus DataEngine service has not stopped automatically, stop it (go to Windows > Services > Right-click on ManageEngine ADAudit Plus DataEngine > Stop).
 
3. Move(cut and paste) the below jar files from '<product_installation_path>\apps\dataengine-xnode\lib' to any backup location outside the product installation path.
 
log4j-api-2.10.0.jar
log4j-core-2.10.0.jar
log4j-iostreams-2.10.0.jar
log4j-slf4j-impl-2.10.0.jar
 
(or)
 
log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
log4j-iostreams-2.15.0.jar
log4j-slf4j-impl-2.15.0.jar

(or)

log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-iostreams-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar 

4. Download jar files from the below link:
 
5. Copy the downloaded jar files to '<product_installation_path>\apps\dataengine-xnode\lib'.
 
6. Start the ManageEngine ADAuditPlus service.
 
Note: 
  • ADAudit Plus does not have any dependency with log4j v1.2.15 jar file unless RSA SecurID two-factor authentication is enabled. In the absence of this case, we can very well remove that specific jar file (v1.2.15). We are currently working on removing the dependency on the whole which will be reflected in our next service pack. 
  • ADAudit Plus' latest release, 7050, contains log4j version 2.17.0. ADAudit Plus is not affected by the latest log4j vulnerability (CVE-2021-44832). Customers who want to replace log4j version 2.17.0 with 2.17.1 can carry out the steps outlined in this post. Log 4j version 2.17.1 can be downloaded from the below link: https://downloads.zohocorp.com/dnd/ADAudit_Plus/y1YCjM9Wti2GbIs/log4j-2.17.1.zip

For any additional details or assistance, please reach out to us at support@adauditplus.com or +1 844 245 1101 (toll-free).
 
Best,
ADAudit Plus.