Log4j vulnerability - Handling for the DMZ tool

Log4j vulnerability - Handling for the DMZ tool

Hello everyone,

 

Note: This is exclusively for customers using the DMZ tool for closed network patching. The DMZ tool alone has a dependency file that uses Log4j library and hence is vulnerable. The rest of Desktop Central / Patch Manager Plus / Vulnerability Manager Plus is not vulnerable to the Apache Log 4j vulnerability. For more details about the vulnerabilities, refer to these vendor posts - CVE-2021-44228 and CVE-2021-45046

 

The identified Log4j vulnerability (CVE-2021-44228) is classified as a Zero-Day Vulnerability. This bug when exploited, can allow attackers to tamper with the input data to the DMZ tool which will in turn lets them control the system hosting the DMZ tool. This vulnerability was patched in Log4j version 2.15.0 but later it was found that version 2.15.0 was vulnerable to another Denial of service bug tracked as CVE-2021-45046. This vulnerability is fixed in Log4j version 2.16.0.

 

Resolution:

DMZ tool users are advised to upgrade to the latest version of the DMZ tool available for download on this page

Cheers, 
The ManageEngine Team