Update on the recent Apache Log4j2 vulnerability - Impact on ManageEngine on-premises products

Update on the recent Apache Log4j2 vulnerability - Impact on ManageEngine on-premises products

Last updated on: 5th May, 2022


A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. Find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html

Affected product(s):
ADManager Plus
Affected versions: 7121 and below.
Updated versions: 7122 
(released on 17-12-2021) and above. You can download the fixed version from here.

ManageEngine products bundled with vulnerable Log4j2 (as of 13th December, 2021):

 

Product name

Jar version in bundled dependency

ADAudit Plus

V2.10.0

DataSecurity Plus

V2.10.0

EventLog Analyzer

V2.9.1

M365 Manager Plus

V2.11.1

RecoveryManager Plus

V2.11.1

Exchange Reporter Plus

V2.11.1

Log360

V2.9.1

Log360 UEBA

V2.11.1

Cloud Security Plus

V2.9.1

M365 Security Plus

V2.11.1

Analytics Plus

V2.7

 

 

Please note that we have not identified any exploitable cases due to Log4j2 in the above products as we do not use Log4j directly for logging. But, some of the third parties we use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below:

 

  1. ADManager Plus 
  2. ADAudit Plus 
  3. DataSecurity Plus 
  4. EventLog Analyzer 
  5. M365 Manager Plus
  6. M365 Security Plus 
  7. RecoveryManager Plus
  8. Exchange Reporter Plus 
  9. Log360
  10. Log360 UEBA
  11. Cloud Security Plus
  12. Analytics Plus

 

Other ManageEngine products that are not listed above are not impacted by this vulnerability.

We are continuing to analyze the issue and will update this advisory if any new information becomes available.

 

For any additional details or assistance, please contact security@manageengine.com

                  New to ADSelfService Plus?