- Revenera Community
- :
- FlexNet Embedded
- :
- FlexNet Embedded Knowledge Base
- :
- CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded
CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded
Summary
A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.
Problem Description
Upon analysis, CVE-2021-44228 has been determined to impact the optional FlexNet License Server Manager (FLSM) component packaged with the FlexNet Embedded local license server.
Resolution
Revenera has provided a FlexNet Embedded 2021.12 local license server that does not contain the FlexNet License Server Manager component. This updated package is available for download on the Product and License Center.
A separate FlexNet License Server Manager (FLSM) package that does not use the vulnerable Log4j component is available for download from the Product and License Center. The package files are:
For Windows | For Linux |
---|---|
flexnet-flsm-windows-2021.12.2.zip | flexnet-flsm-linux-2021.12.2.tar.gz |
Workaround
We advise customers to temporarily cease using the FlexNet License Server Manager until the new package is available. However, customers who wish to continue using the FlexNet License Server Manager may mitigate risk by including Dlog4j2.formatMsgNoLookups=true to JAVA_OPTS environment variable in Tomcat CATALINA_HOME/bin directory:
Operating System | Directions |
---|---|
Windows |
Edit setenv.bat and append "-Dlog4j2.formatMsgNoLookups=true" if exists. If it doesn't exist, create new file and add set JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true" |
Linux |
Edit setenv.sh in CATALINA_HOME/bin and append "-Dlog4j2.formatMsgNoLookups=true" if exists If this doesn't exist, create a new file and add export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true" |
Additional Information
- CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2021-44228
- Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html
There's no mention of FlexNet Agent which contains log4j-1-2-17.jar
Can we assume this is not vulnerable?
Hi @cvirata,
We were assessing log4j v1.2.17 further and noticed that v1.2.17 itself has vulnerabilities associated to it (https://nvd.nist.gov/vuln/detail/CVE-2019-17571).
There is some chatter that removing JMSAppender and SocketServer can mitigate known issues with log4j v1.2.17.
Could it be confirmed that FNE with log4j v1.2.17 is not susceptible to CVE-2019-17571, meaning that JMSAppender and SocketServer are removed.
Thank you.
@cvirata I believe flexnet_client-xt-java-x64_linux is also affected by log4j vulnerability. Is there an ETA on the fix?
@markyeoh the team was able to confirm that the FlexNet Embedded local license server is not affected by CVE-2019-17571. This has been documented in the KB article: https://community.flexera.com/t5/FlexNet-Embedded-Knowledge-Base/CVE-2019-17571-Log4j-vulnerability-impact-on-FlexNet-Embedded/ta-p/218993
@eugene_grinberg I've passed along your concern to our Engineering team and will get back to you as soon as I have information.