CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded

Yes

Summary

A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Problem Description

Upon analysis, CVE-2021-44228 has been determined to impact the optional FlexNet License Server Manager (FLSM) component packaged with the FlexNet Embedded local license server.

Resolution

Revenera has provided a FlexNet Embedded 2021.12 local license server that does not contain the FlexNet License Server Manager component. This updated package is available for download on the Product and License Center.

A separate FlexNet License Server Manager (FLSM) package that does not use the vulnerable Log4j component is available for download from the Product and License Center. The package files are:

For Windows	For Linux
flexnet-flsm-windows-2021.12.2.zip	flexnet-flsm-linux-2021.12.2.tar.gz

Workaround

We advise customers to temporarily cease using the FlexNet License Server Manager until the new package is available. However, customers who wish to continue using the FlexNet License Server Manager may mitigate risk by including Dlog4j2.formatMsgNoLookups=true to JAVA_OPTS environment variable in Tomcat CATALINA_HOME/bin directory:

Operating System Directions

Windows

Edit setenv.bat and append "-Dlog4j2.formatMsgNoLookups=true" if exists.

If it doesn't exist, create new file and add set JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

Linux

Edit setenv.sh in CATALINA_HOME/bin and append "-Dlog4j2.formatMsgNoLookups=true" if exists

If this doesn't exist, create a new file and add export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

Additional Information

CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2021-44228
Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html

mrimon · ‎Dec 14, 2021

Is the 'FlexNet Embedded 2021.12 local license server that does not contain the FlexNet License Server Manager component' available now on downloads?

cvirata · ‎Dec 14, 2021

Hello @mrimon - yes, the modified version of the FlexNet Embedded 2021.12 local license server, without FLSM, is available for download on the Product and License Center.

mrimon · ‎Dec 15, 2021

Any ETA on the full patch realease cvirata?

bill_irvine · ‎Dec 16, 2021

There's no mention of FlexNet Agent which contains log4j-1-2-17.jar

Can we assume this is not vulnerable?

mrimon · ‎Dec 20, 2021

Any updates on an ETA for full patch?

cvirata · ‎Dec 20, 2021

@mrimon - I've followed up with our Product and Engineering team to see if we have an ETA for a long term solution for FLSM. I will post an update as soon as I have one. Thank you for your patience.

markyeoh · ‎Dec 21, 2021

Hi @cvirata,

We were assessing log4j v1.2.17 further and noticed that v1.2.17 itself has vulnerabilities associated to it (https://nvd.nist.gov/vuln/detail/CVE-2019-17571).

There is some chatter that removing JMSAppender and SocketServer can mitigate known issues with log4j v1.2.17.

Could it be confirmed that FNE with log4j v1.2.17 is not susceptible to CVE-2019-17571, meaning that JMSAppender and SocketServer are removed.

Thank you.

eugene_grinberg · ‎Jan 04, 2022

@cvirata I believe flexnet_client-xt-java-x64_linux is also affected by log4j vulnerability. Is there an ETA on the fix?

cvirata · ‎Jan 04, 2022

@markyeoh the team was able to confirm that the FlexNet Embedded local license server is not affected by CVE-2019-17571. This has been documented in the KB article: https://community.flexera.com/t5/FlexNet-Embedded-Knowledge-Base/CVE-2019-17571-Log4j-vulnerability-impact-on-FlexNet-Embedded/ta-p/218993

cvirata · ‎Jan 04, 2022

@eugene_grinberg I've passed along your concern to our Engineering team and will get back to you as soon as I have information.

CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded