CVE-2021-4104: Log4j vulnerability impact on FlexNet Embedded

Summary:

A vulnerability identified as CVE-2021-4104 has been reported in the Apache Log4j library. Related vulnerabilities have also been identified as CVE-2022-23302, CVE-2022-23305, and CVE-2020-9488. This article addresses all three vulnerabilities. 

Description:

The Apache Log4j vulnerability referenced by the CVE identifier CVE-2021-4104 does not affect the License Server in its default behavior. This issue only affects if the license server logging is integrated with external systems using Log4J Socket Appender. 

This integration is described in the License Server Producer Guide (Appendix E) and the License Server Administration Guide (Appendix D), under the section "Integration of License Server Logging With External Systems." 

NOTE: The license server is not configured to use this class as default, hence the license server is not affected by the vulnerabilities by default.

Similarly, CVE-2022-23302, CVE-2022-23305, and CVE-2020-9488 do not affect the License Server in its default configuration.

Resolution:

Refrain from using Log4J Socket Appender as an external logging mechanism.

Additional Information:

• CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
• Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2021-4104
• CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2022-23302
• Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2022-23302
• CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2022-23305
• Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2022-23305
• CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2020-9488
• Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2020-9488