Update on the Apache Log4j Vulnerability

Update on the Apache Log4j Vulnerability

A high severity vulnerability ( CVE-2021-44228 ) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. You can find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html

Applications Manager team has performed a complete analysis of its systems (including the web application and APIs), and has reasonably established that Applications Manager is not affected by the Apache Log4j vulnerability . Below are the comprehensive explanation of the list of vulnerabilities related to the Log4j framework and their impact in Applications Manager:
  1. CVE-2021-44228: This particular vulnerability is applicable only for applications that are using Log4j versions from v2.0.0 to v2.14.1. However, Application Manager uses Log4j v1.2.12 and is not impacted by this vulnerability. 
  2. CVE-2021-4104: This vulnerability only affects Log4j 1.2 when specifically configured to use JMSAppender. Applications Manager does not use the JMS Appender configuration by default. However, the class file org/apache/log4j/net/JMSAppender.class has been removed from the Jar (log4j.jar) file for security reasons.
  3. CVE-2019-17571: By default, Applications Manager does not use the SocketServer configuration. However, for security reasons, the class file org/apache/log4j/net/SocketServer.class has been removed from the Jar (log4j.jar) file.
Based on the above explanations, it is clear  that Applications Manager is not affected by the Apache Log4j vulnerability in any way . However, as an a dded security measure , the corresponding class files (stated in points 2 and 3) have been removed from the Jar ( log4j.jar ) file and can be found in the patch file attached with this advisory. After removing the class files from this Jar file, the logging functionality has been tested in the product and is found to be working fine. 

By applying the patch file attached with this advisory, the changes made in the Jar file (as specified in points 2 and 3) will be implemented into Applications Manager. However, this is an optional step and is suggested for  security purposes .

We are continuing to analyze the issue and will update this advisory if any new information becomes available. For any additional details or assistance, please contact appmanager-support@manageengine.com

Regarding upgrading the jar file to the latest stable version, the product team is currently working on the same and will be completed soon.

          • Related Articles

          • Is APM Java agent available for Apache HTTP server?

            No, our APM Java agent is not supported on an Apache HTTP server running on Windows or Linux host.
          • Troubleshooting - Apache Solr

            If the Solr monitor can't be added, then do the following:- Ask the customer to verify whether he can access the particular Solr instance from the machine where he tries to add. Also ask the customer to access the following URLs from the machine, ...
          • Configure Apache "server-status" page

            This error occurs when Client is denied to access "server-status" page due to the missing configuration in Apache Server. Make below changes in httpd.conf file to fix the issue Step 1: Load Status Module Search for the line "LoadModule status_module ...
          • APM Insight Troubleshooting tips - Java Agent

            Check out our APM Insight User Guide for Java Agent More FAQs 1. How to add an APM Insight Monitor?           After you deploy APM Insight agent in your Application Server with suitable Applications Manager credentials in apminsight.conf, APM Insight ...
          • Enabling JMX in Tomcat Application and adding JAVA Runtime / JMX Applications Monitor in Applications Manager

            Configuring JMX for Apache Tomcat     1. On your Tomcat host, open the start menu and click on Tomcat Configuration (alternatively, edit the catalina.bat or catalina.sh file) 2. Click on the Java tab, then add the following Java Options: ...