Update 2 about Apache Log4j vulnerabilities (CVE-2021-45046 and CVE-2021-44228): Steps to protect ADManager Plus

Update 2 about Apache Log4j vulnerabilities (CVE-2021-45046 and CVE-2021-44228): Steps to protect ADManager Plus

Dear Customers,

We have now released a new build which includes the precautionary measures to protect against the Log4j vulnerability. It is sufficient if you just upgrade your ADManager Plus instance to the latest build. Download the service pack, to update your instance. To download the complete build, click here

Redundant Steps that were followed earlier: 

Two high severity vulnerabilities, (CVE-2021-44228 and CVE-2021-45046), impacting multiple versions of Apache Log4j utility, were disclosed recently. We have found no evidence of any exploitation in ADManager Plus as of now.

 

However, as the affected Log4j version is used in ADManager Plus in the bundled dependency, we strongly recommend all our customers to follow the below steps to protect ADManager Plus from the vulnerabilities.

 

Note:

 

1. This procedure is applicable for both vulnerabilities (CVE-2021-44228 and CVE-2021-45046) irrespective of ADManager Plus' current build number.

 

2. If you do not have the ES folder in the <Installation Folder>\ADManager Plus, then your ADManager Plus instance is not vulnerable and the below steps need not be followed.

Precautionary steps to take against this vulnerability 

 

Step 1: Stop ADManager Plus (Start > Programs > ADManager Plus > Stop ADManager Plus)

If you are running the product as a service, go to "services.msc" > stop ManageEngine ADManager Plus service.

 

Step 2: Delete the following files after taking a backup. The backup path can be any location outside the ADManager Plus installation folder.

 

a) <Installation folder>\ADManager Plus\ES\lib\

 

i) log4j-1.2-api-2.11.1.jar

ii) log4j-api-2.11.1.jar

iii) log4j-core-2.11.1.jar

 

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6

 

i) log4j-slf4j-impl-2.11.1.jar

 

Step 3: Download this ZIP file, extract it, and move the extracted files to the respective paths as below:

 

a) <Installation folder>\ADManager Plus\ES\lib\

 

i) log4j-1.2-api-2.16.0.jar

ii) log4j-api-2.16.0.jar

iii) log4j-core-2.16.0.jar

 

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6

i) log4j-slf4j-impl-2.16.0.jar

 

Step 4: Start ADManager Plus.

 

If you need any additional information or assistance in performing the recommended steps, please write to us at support@admanagerplus.com. You can also call us at +1-844-245-1108 (toll-free).
Thanks and Regards
Scott

                  New to ADSelfService Plus?