Our security team has asked us to mitigate the Log4j vulnerability identified on FNMS servers. We have 2019 R2 installed. They have suggested we can upgrade the Java version.
Fixed in Java8 Version -2.17.1, 2.17.0, 2.16.0
Fixed in Java7 Version- 2.12.4
Fixed in Java6 Version- 2.3.2
Please let me know if I can expect any challenges if i perform the upgrade. Will there be any application issues or performance issues?
Jan 30, 2022 10:35 PM
FlexNet Manager Suite itself doesn't use any Java installation that is directly upgradable. If you have a Java installation on a server that you can upgrade then I can't think of any reason that would have any impact on FlexNet Manager Suite. Of course, it is always recommended to try this out in a test environment before touching production.
The IBM Cognos product included in Flexera Analytics does include an installation of Java. That Java installation is not directly upgradable by yourself, as the Java install is bundled with IBM Cognos.
If you are seeking to mitigate Log4j vulnerabilities in an Flexera Analytics/IBM Cognos installation that is used with FlexNet Manager Suite, please see the following article for guidance: Flexera Analytics (Cognos) mitigation for Apache Log4j 2 vulnerability CVE-2021-44228
Jan 31, 2022 01:30 AM
FlexNet Manager Suite itself doesn't use any Java installation that is directly upgradable. If you have a Java installation on a server that you can upgrade then I can't think of any reason that would have any impact on FlexNet Manager Suite. Of course, it is always recommended to try this out in a test environment before touching production.
The IBM Cognos product included in Flexera Analytics does include an installation of Java. That Java installation is not directly upgradable by yourself, as the Java install is bundled with IBM Cognos.
If you are seeking to mitigate Log4j vulnerabilities in an Flexera Analytics/IBM Cognos installation that is used with FlexNet Manager Suite, please see the following article for guidance: Flexera Analytics (Cognos) mitigation for Apache Log4j 2 vulnerability CVE-2021-44228
Jan 31, 2022 01:30 AM
Thanks @ChrisG
We do have the Cognos installed, but rarely used. This vulnerability has also showed up on our FNMEA server.
We will either remove Cognos (not very useful) or upgrade Java
Jan 31, 2022 01:45 AM
See the following article for Log4j vulnerability mitigation guidance in relation to FlexNet Manager for Engineering Applications: FlexNet Manager for Engineering Applications mitigation for Apache Log4j 1.2 vulnerability CVE-2021-4104
To be clear, while you may want to upgrade installations of Java that you have (and that is not necessarily a bad thing to do in and of itself), I don't believe upgrading Java is in any way a mitigation for Log4j vulnerabilities. Log4j vulnerabilities may be present regardless of the version of Java in use.
Jan 31, 2022 01:51 AM
our security team has informed us that the following versions of Java would not have the vulnerability
Fixed in Java8 Version -2.17.1, 2.17.0, 2.16.0
Fixed in Java7 Version- 2.12.4
Fixed in Java6 Version- 2.3.2
We will take additional steps identified by you as well. Thank you for your help
Jan 31, 2022 02:29 AM