Update on the recent Apache Log4j2 vulnerabilities - Impact on ManageEngine Analytics Plus

Update on the recent Apache Log4j2 vulnerabilities - Impact on ManageEngine Analytics Plus

Last Updated on : 22nd Dec 2021 09:00 GMT

Three high severity vulnerabilities, (CVE- 2021-44228CVE-2021-45105 and CVE-2021-45046), impacting multiple versions of Apache Log4j utility, was disclosed publicly on December 9, 2021. We have found no evidence of any successful exploitation in Analytics Plus as of today. We are continuing to analyse the issue and will provide updates of any new findings.
 
However the affected log4j version is present in Analytics Plus in the bundled dependency, so we strongly recommend all our customers/evaluators to follow the below steps as a precautionary measure:
 
Linux users:
  • Open a terminal and navigate to "AnalyticsPlus/lib/".
  • Execute the command "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class".
  • Restart Analytics Plus service.
 
 
Windows users:
  • Download and install 7-Zip from the 7-Zip home page
  • Stop Analytics Plus service
  • After installing 7-Zip, open a command prompt and navigate to the 7-Zip installation folder (ex: C:\Program Files\7-Zip\).
  • Now execute the command "7z d <Analytics_Plus_installed_Location>\AnalyticsPlus\lib\log4j-core-2.7.jar org\apache\logging\log4j\core\lookup\JndiLookup.class". This will look like "7z d C:\ManageEngine\AnalyticsPlus\lib\log4j-core-2.7.jar org\apache\logging\log4j\core\lookup\JndiLookup.class"
  • Restart Analytics Plus service.

Note: These vulnerabilities will be fixed in Analytics Plus from build 5070(upcoming). The above steps is applicable only if your Analytics Plus is on build 5000, 5010, 5020, 5030, 5050, and 5060. The rest of the Analytics Plus builds are not impacted.

 
For any additional details or assistance, please reach out to us at analyticsplus-support@manageengine.com.