[Update] Precautionary steps to protect M365 Manager Plus from Log4j vulnerability (CVE-2021-44228 , CVE-2021-45046 , CVE-2021-45105 and CVE-2021-44832)
This post has been updated on 05/01/2022.
In M365 Manager Plus, the affected log4j version is used in the bundled dependency. Our security experts are analyzing the issue and as of now, we have no conclusive evidence of our product being affected by it. However, we strongly recommend all our customers to follow the below steps as a precautionary measure.
Precautionary steps to take against this vulnerability:
Step 1: Stop M365 Manager Plus.
Step 2: Go to <M365 Manager Plus installation directory>\elasticsearch\lib folder.
Step 3: Locate and save a backup of the below mentioned files, and remove them from the lib folder.
Step 4: Download and extract the below mentioned files from this zip and add them in <M365 Manager Plus installation directory>\elasticsearch\lib folder
Step 5: Navigate to <M365 Manager Plus installation directory>\elasticsearch\plugins\search-guard-6 folder.
Step 6: Locate and save a backup of the log4j-slf4j-impl-2.11.1.jar or log4j-slf4j-impl-2.16.0.jar file, and remove the same from the search-guard-6 folder.
Step 7: Download log4j-slf4j-impl-2.17.0.jar file from here and add it in <M365 Manager Plus installation directory>\elasticsearch\plugins\search-guard-6 folder.
Step 8: Start M365 Manager Plus.
- M365 Manager Plus' latest release, 4500, contains log4j version 2.17.0. M365 Manager Plus is not affected by the latest log4j vulnerability (CVE-2021-44832). Customers who want to replace log4j version 2.17.0 with 2.17.1 can carry out the steps outlined in this post. Log4j 2.17.1 download links are provided below:
M365 Manager Plus Team
Direct Inward Dialing: +1-408-916-9836
New to ADSelfService Plus?