Update regarding the Apache Log4j vulnerabilities - CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Update regarding the Apache Log4j vulnerabilities - CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Hi,

Three high severity vulnerabilities, CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, impacting multiple versions of Apache Log4j utility, were disclosed recently. The last one was disclosed just a few days back. We have found no evidence of any exploitation in ADManager Plus till date.
 
However, as the affected Log4j version is used in ADManager Plus in the bundled dependency, we strongly recommend all our customers to follow the below steps, as a precaution, to protect your ADManager Plus instance. 

We have included the precautionary measures for CVE-2021-44228 and CVE-2021-45046 in ADManager Plus build 7122. Also, ADManager Plus is not affected by the latest Log4j DOS attack (CVE-2021-45105) vulnerability, as it doesn't use non-default Pattern Layouts with context lookup. Still, as mentioned earlier, we recommend that you perform the below steps as a precautionary measure.

Precautionary steps
Note: If you do not have the ES folder in the <Installation Folder>\ADManager Plus, then your ADManager Plus instance is not vulnerable and the below steps need not be followed.

Step 1: Stop ADManager Plus

Step 2: Move(cut and paste) the below jar files from ' <Installation folder>\ADManager Plus\ES\lib\ ' to any folder outside the ADManager Plus Installation Folder. 
a) <Installation folder>\ADManager Plus\ES\lib\
      i) log4j-1.2-api-2.11.1.jar (or) log4j-1.2-api-2.16.0.jar
      ii) log4j-api-2.11.1.jar (or) log4j-api-2.16.0.jar
      iii) log4j-core-2.11.1.jar (or) log4j-core-2.16.0.jar

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6
      i) log4j-slf4j-impl-2.11.1.jar (or) log4j-slf4j-impl-2.16.0.jar

Step 3: Download this ZIP file, extract and copy the extracted files to the respective paths as below:
a) <Installation folder>\ADManager Plus\ES\lib\
      i) log4j-1.2-api-2.17.0.jar
      ii) log4j-api-2.17.0.jar
      iii) log4j-core-2.17.0.jar

b) <Installation folder>\ADManager Plus\ES\plugins\search-guard-6
      i) log4j-slf4j-impl-2.17.0.jar

Step 4: Start ADManager Plus.

For more information or any assistance in performing the recommended steps, please get in touch with us.

Cheers,
Team ADManager Plus
+1-844-245-1108 | support@admanagerplus.com