Update on the Apache Log4j Vulnerability
A high severity vulnerability (
CVE-2021-44228
) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. You can find the details of this vulnerability documented here:
https://logging.apache.org/log4j/2.x/security.html
Applications Manager team has performed a complete
analysis of its systems (including the web application and APIs), and has reasonably established that
Applications Manager is not affected by the Apache Log4j vulnerability
. Below are the comprehensive explanation of the list of vulnerabilities related to the Log4j framework and their
impact in Applications Manager:
- CVE-2021-44228: This particular vulnerability is applicable only for applications that are using Log4j versions from v2.0.0 to v2.14.1. However, Application Manager uses Log4j v1.2.12 and is not impacted by this vulnerability.
- CVE-2021-4104: This vulnerability only affects Log4j 1.2 when specifically configured to use JMSAppender. Applications Manager does not use the JMS Appender configuration by default. However, the class file org/apache/log4j/net/JMSAppender.class has been removed from the Jar (log4j.jar) file for security reasons.
- CVE-2019-17571: By default, Applications Manager does not use the SocketServer configuration. However, for security reasons, the class file org/apache/log4j/net/SocketServer.class has been removed from the Jar (log4j.jar) file.
Based on the above explanations, it is clear
that
Applications Manager is not affected by the Apache Log4j vulnerability
in any way
. However, it is always good to upgrade to the latest version of Applications Manager. Log4j was updated from version 1.2.12 to 2.17.2 in Applications Manager v15810.
New to ADSelfService Plus?
Related Articles
Is APM Java agent available for Apache HTTP server?
No, our APM Java agent is not supported on an Apache HTTP server running on Windows or Linux host.Deprecation of Java 6 and 7 for the APM Insight Java agent
The security of our customers continues to be our top priority. We have released a new version of APM Insight Java Agent v6.0 [18/06/2023], which uses the most recent Log4j2 library (v2.18.0) to mitigate the Log4shell vulnerability (CVE-2021-44228). ...Adding APM Insight Java agent in a Kubernetes environment
There are three methods for installing the APM Insight Java agent in a Kubernetes environment: Using Dockerfile Using InitContainers Using Persistent Volumes Prerequisites Download the latest APM Insight Java agent ZIP file. Extract the ZIP file and ...APM Insight Java agent setup in K8s via Persistent Volumes
Prerequisites 1. A persistent volume (with a capacity of 100mb). 2. The persistent volume mounted on all deployment pods (via persistent volume claim). 3. The Applications Manager APM Insight Java agent zip file was downloaded, moved, and extracted ...Troubleshooting - Apache Solr
If the Solr monitor can't be added, then do the following:- Ask the customer to verify whether he can access the particular Solr instance from the machine where he tries to add. Also ask the customer to access the following URLs from the machine, ...