Solved: Re: Log4j vulnerability

flexeranoob · ‎Jan 30, 2022

Our security team has asked us to mitigate the Log4j vulnerability identified on FNMS servers. We have 2019 R2 installed. They have suggested we can upgrade the Java version.

Fixed in Java8 Version -2.17.1, 2.17.0, 2.16.0
Fixed in Java7 Version- 2.12.4
Fixed in Java6 Version- 2.3.2

Please let me know if I can expect any challenges if i perform the upgrade. Will there be any application issues or performance issues?

ChrisG · ‎Jan 31, 2022

FlexNet Manager Suite itself doesn't use any Java installation that is directly upgradable. If you have a Java installation on a server that you can upgrade then I can't think of any reason that would have any impact on FlexNet Manager Suite. Of course, it is always recommended to try this out in a test environment before touching production.

The IBM Cognos product included in Flexera Analytics does include an installation of Java. That Java installation is not directly upgradable by yourself, as the Java install is bundled with IBM Cognos.

If you are seeking to mitigate Log4j vulnerabilities in an Flexera Analytics/IBM Cognos installation that is used with FlexNet Manager Suite, please see the following article for guidance: Flexera Analytics (Cognos) mitigation for Apache Log4j 2 vulnerability CVE-2021-44228

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

ChrisG · ‎Jan 31, 2022

FlexNet Manager Suite itself doesn't use any Java installation that is directly upgradable. If you have a Java installation on a server that you can upgrade then I can't think of any reason that would have any impact on FlexNet Manager Suite. Of course, it is always recommended to try this out in a test environment before touching production.

The IBM Cognos product included in Flexera Analytics does include an installation of Java. That Java installation is not directly upgradable by yourself, as the Java install is bundled with IBM Cognos.

If you are seeking to mitigate Log4j vulnerabilities in an Flexera Analytics/IBM Cognos installation that is used with FlexNet Manager Suite, please see the following article for guidance: Flexera Analytics (Cognos) mitigation for Apache Log4j 2 vulnerability CVE-2021-44228

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

flexeranoob · ‎Jan 31, 2022

Thanks @ChrisG

We do have the Cognos installed, but rarely used. This vulnerability has also showed up on our FNMEA server.

We will either remove Cognos (not very useful) or upgrade Java

ChrisG · ‎Jan 31, 2022

See the following article for Log4j vulnerability mitigation guidance in relation to FlexNet Manager for Engineering Applications: FlexNet Manager for Engineering Applications mitigation for Apache Log4j 1.2 vulnerability CVE-2021-4104

To be clear, while you may want to upgrade installations of Java that you have (and that is not necessarily a bad thing to do in and of itself), I don't believe upgrading Java is in any way a mitigation for Log4j vulnerabilities. Log4j vulnerabilities may be present regardless of the version of Java in use.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

flexeranoob · ‎Jan 31, 2022

our security team has informed us that the following versions of Java would not have the vulnerability

Fixed in Java8 Version -2.17.1, 2.17.0, 2.16.0
Fixed in Java7 Version- 2.12.4
Fixed in Java6 Version- 2.3.2

We will take additional steps identified by you as well. Thank you for your help