Can I have an official statement from Snow that SLM, SIM, Si are not affected by Log4j problem? Except perhaps Commander?

MWuendisch asked a question.

December 14, 2021 at 8:21 PM

Top Rated Answers

Karen Peacock (Flexera Software)
4 years ago
Hi all I wanted to share that there has been a new post on the New & Updates group: https://community.flexera.com/s/feed/0D5690000B5879cCQA

Also that we have put together some guidelines and insights about how Snow can help with finding potential installations affected by CVE-2021-44228. As we learn more we will be sure to update and improve the advice we've given here: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228
Expand Post
Selected as Best

All Answers

bobanm
4 years ago
Hi, We really need an "Official" statement from Snow on this ASP!
Expand Post
Karen Peacock (Flexera Software)
4 years ago
Hi @Mathias Wündisch and @Boban Mitic we are of course working on a statement and plan to have this published on Snow Globe as soon as it's fully verified.
Expand Post
- Laim McKenzie
  4 years ago
  Hey Karen,
  
  Is there an ETA on the statement? Only asking due to the nature of it :)
  Expand Post
dvandenakker
4 years ago
I tried calling, but i am only getting voicemails. Also looking for the impact on commander.

A quick search shows that commander uses the log4 (tomcat) making it very probable that the commander software is vulnerable, but no official statement to be found. Or i havent found it yet.
Expand Post
- Laim McKenzie
  4 years ago
  Hey @Danny van den Akker,
  
  By default Tomcat is configured to use java.util.logging, so unless it's been changed to use log4j by Snow (or Embotics before Snow bought them over) or someone has changed it at your company after the install for better logging, it's likely you're 'reasonably' safe.
  
  Worth checking in WEB-INF/lib and WEB-INF/classes if Log4j exists, and checking in $CATALINA_BASE/lib to see if log4j.properties exists in there.
  Expand Post
  - Laim McKenzie
    4 years ago
    Edit
    
    Found this, looks like Commander uses Log4j. Controlling Snow Software® Commander® Logging Level (5.x and 6.x)
    Expand Post
dvandenakker
4 years ago
That was the link i was referring to. Checking on the system there is definitely a log4j.properties
Expand Post
Karen Peacock (Flexera Software)
4 years ago
Hi All please see the post on the News & Updates group: https://community.flexera.com/s/feed/0D5690000B4U6hUCQS
Expand Post
Karen Peacock (Flexera Software)
4 years ago
Hi all I wanted to share that there has been a new post on the New & Updates group: https://community.flexera.com/s/feed/0D5690000B5879cCQA

Also that we have put together some guidelines and insights about how Snow can help with finding potential installations affected by CVE-2021-44228. As we learn more we will be sure to update and improve the advice we've given here: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228
Expand Post
Selected as Best
Portal User
4 years ago
Hi,
We are still waiting for official statement, and also is Snow inventory agent components are affected?
Expand Post

10 of 12