cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded

CVE-2021-44228: Log4j vulnerability impact on FlexNet Embedded

Summary

A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Problem Description

Upon analysis, CVE-2021-44228 has been determined to impact the optional FlexNet License Server Manager (FLSM) component packaged with the FlexNet Embedded local license server.

Resolution

Revenera has provided a FlexNet Embedded 2021.12 local license server that does not contain the FlexNet License Server Manager component. This updated package is available for download on the Product and License Center.

A separate FlexNet License Server Manager (FLSM) package that does not use the vulnerable Log4j component is available for download from the Product and License Center. The package files are:

For Windows For Linux
flexnet-flsm-windows-2021.12.2.zip flexnet-flsm-linux-2021.12.2.tar.gz

Workaround

We advise customers to temporarily cease using the FlexNet License Server Manager until the new package is available. However, customers who wish to continue using the FlexNet License Server Manager may mitigate risk by including Dlog4j2.formatMsgNoLookups=true to JAVA_OPTS environment variable in Tomcat CATALINA_HOME/bin directory:

Operating System Directions
Windows

Edit setenv.bat and append "-Dlog4j2.formatMsgNoLookups=true" if exists.

If it doesn't exist, create new file and add set JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

Linux

Edit setenv.sh in CATALINA_HOME/bin and append "-Dlog4j2.formatMsgNoLookups=true" if exists

If this doesn't exist, create a new file and add export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

Additional Information

Labels (1)
No ratings
Comments

Is the 'FlexNet Embedded 2021.12 local license server that does not contain the FlexNet License Server Manager component' available now on downloads?

Hello @mrimon - yes, the modified version of the FlexNet Embedded 2021.12 local license server, without FLSM, is available for download on the Product and License Center. 

Any ETA on the full patch realease cvirata?

There's no mention of FlexNet Agent which contains log4j-1-2-17.jar

Can we assume this is not vulnerable?

Any updates on an ETA for full patch?

@mrimon - I've followed up with our Product and Engineering team to see if we have an ETA for a long term solution for FLSM. I will post an update as soon as I have one. Thank you for your patience.

Hi @cvirata,

We were assessing log4j v1.2.17 further and noticed that v1.2.17 itself has vulnerabilities associated to it (https://nvd.nist.gov/vuln/detail/CVE-2019-17571). 

There is some chatter that removing JMSAppender and SocketServer can mitigate known issues with log4j v1.2.17.

Could it be confirmed that FNE with log4j v1.2.17 is not susceptible to CVE-2019-17571, meaning that JMSAppender and SocketServer are removed.

Thank you.

@cvirata I believe flexnet_client-xt-java-x64_linux is also affected by log4j vulnerability. Is there an ETA on the fix?

@markyeoh the team was able to confirm that the FlexNet Embedded local license server is not affected by CVE-2019-17571. This has been documented in the KB article: https://community.flexera.com/t5/FlexNet-Embedded-Knowledge-Base/CVE-2019-17571-Log4j-vulnerability-impact-on-FlexNet-Embedded/ta-p/218993

@eugene_grinberg I've passed along your concern to our Engineering team and will get back to you as soon as I have information. 

Version history
Last update:
‎Feb 10, 2023 04:29 PM
Updated by: