However, as the affected Log4j version is used in ADManager Plus in the bundled dependency, we strongly recommend all our customers to follow the below steps to protect ADManager Plus from the vulnerabilities.

Note:

1. This procedure is applicable for both vulnerabilities (CVE-2021-44228 and CVE-2021-45046) irrespective of ADManager Plus' current build number.

2. If you do not have the ES folder in the <Installation Folder>\ADManager Plus, then your ADManager Plus instance is not vulnerable and the below steps need not be followed.

Precautionary steps to take against this vulnerability 

Step 1: Stop ADManager Plus (Start > Programs > ADManager Plus > Stop ADManager Plus)

If you are running the product as a service, go to "services.msc" > stop ManageEngine ADManager Plus service.

Step 2: Delete the following files after taking a backup. The backup path can be any location outside the ADManager Plus installation folder.

a) <Installation folder>\ADManager Plus\ES\lib\

i) log4j-1.2-api-2.11.1.jar

ii) log4j-api-2.11.1.jar

iii) log4j-core-2.11.1.jar

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6

i) log4j-slf4j-impl-2.11.1.jar

Step 3: Download this ZIP file, extract it, and move the extracted files to the respective paths as below:

a) <Installation folder>\ADManager Plus\ES\lib\

i) log4j-1.2-api-2.16.0.jar

ii) log4j-api-2.16.0.jar

iii) log4j-core-2.16.0.jar

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6

i) log4j-slf4j-impl-2.16.0.jar

Step 4: Start ADManager Plus.