Update regarding the Apache Log4j vulnerabilities - CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Update regarding the Apache Log4j vulnerabilities - CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Last updated on May 6, 2022.

Hi,

Three high severity vulnerabilities, CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, impacting multiple versions of Apache Log4j utility, were disclosed recently. As per recent findings, ADManager Plus versions 7121 and older have been impacted by the Log4j remote code execution vulnerability. It is recommended that the customers using ADManager Plus builds 7121 and older update to the latest version to avoid any potential risk of attacks.
 
However, as the affected Log4j version is used in ADManager Plus in the bundled dependency, we strongly recommend all our customers to follow the below steps, as a precaution, to protect your ADManager Plus instance. 

We have included the precautionary measures for CVE-2021-44228 and CVE-2021-45046 in ADManager Plus build 7122. Also, ADManager Plus is not affected by the latest Log4j DOS attack (CVE-2021-45105) vulnerability, as it doesn't use non-default Pattern Layouts with context lookup. Still, as mentioned earlier, we recommend that you perform the below steps as a precautionary measure.

Precautionary steps
Note: If you do not have the ES folder in the <Installation Folder>\ADManager Plus, then your ADManager Plus instance is not vulnerable and the below steps need not be followed.

Step 1: Stop ADManager Plus

Step 2: Move(cut and paste) the below jar files from ' <Installation folder>\ADManager Plus\ES\lib\ ' to any folder outside the ADManager Plus Installation Folder. 
a) <Installation folder>\ADManager Plus\ES\lib\
      i) log4j-1.2-api-2.11.1.jar (or) log4j-1.2-api-2.16.0.jar
      ii) log4j-api-2.11.1.jar (or) log4j-api-2.16.0.jar
      iii) log4j-core-2.11.1.jar (or) log4j-core-2.16.0.jar

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6
      i) log4j-slf4j-impl-2.11.1.jar (or) log4j-slf4j-impl-2.16.0.jar

Step 3: Download this ZIP file, extract and copy the extracted files to the respective paths as below:
a) <Installation folder>\ADManager Plus\ES\lib\
      i) log4j-1.2-api-2.17.0.jar
      ii) log4j-api-2.17.0.jar
      iii) log4j-core-2.17.0.jar

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6
      i) log4j-slf4j-impl-2.17.0.jar

Step 4: Start ADManager Plus.

For more information or any assistance in performing the recommended steps, please get in touch with us.

Cheers,
Team ADManager Plus
+1-844-245-1108 | support@admanagerplus.com