cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2019-17571: Log4j vulnerability impact on FlexNet Embedded

CVE-2019-17571: Log4j vulnerability impact on FlexNet Embedded

Summary:

A vulnerability identified as CVE-2019-17571 has been reported in the Apache Log4j library. This article discusses the impact of this vulnerability on the FlexNet Embedded Local License Server.

Description:

The Apache Log4j vulnerability referenced by the CVE identifier CVE-2019-17571 does not affect the License Server.

In essence, the vulnerability referenced by CVE-2019-17571 requires that a Apache Log4j server is configured to receive log events via TCP/UDP through the use of the SocketServer class [1]. If malicious log events can be received by such a SocketServer and if the SocketServer is connected to deserialization means, then the potential for arbitrary code execution exist through deserialization of the malicious log events. The root cause of the issue is the use of the "configureHierarchy" and "genericHierarchy" methods within the SocketServer class [2].

The License Server does not utilize any SocketServer in its default configuration. Furthermore, the License Server is not intended nor designed to use the SocketServer and thus doesn't provide any means to configure and integrate a SocketServer including deserialization means through the existing License Server configuration. To note, the maintainer of Apache Log4j is also recommending against the use of serialization respective deserialization within the remote logging context as part of security best practices [3] as serialization / deserialization is an inherently insecure feature of the Java ecosystem.

Therefore, the License Server does not utilize nor expose the vulnerable SocketServer class and is considered unaffected by CVE-2019-17571.

Resolution:

No resolution required.

Workaround:

No workaround required.

References:

[1] https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/SocketServer.html
[2] https://logging.apache.org/log4j/1.2/xref/org/apache/log4j/net/SocketServer.html
[3] https://issues.apache.org/jira/browse/LOG4J2-1863?focusedCommentId=16217905&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16217905

Additional Information:

Labels (1)
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Jan 03, 2022 10:18 PM
Updated by:
Contributors