A vulnerability has been publicly disclosed in Apache Log4j 1.2. The vulnerability has been assigned the identifier CVE-2021-4104 with a CVSS score of “High”.
FlexNet Manager for Engineering Applications versions up to and including 2021 R1 include Log4j 1.2 components, and thus are potentially exposed to this vulnerability. This article describes the potential impact of the vulnerability on FlexNet Manager for Engineering Applications and options for mitigation.
Vulnerability description and impact
CVE-2021-4104 is described in the CVE List as follows:
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
The default configuration of FlexNet Manager for Engineering Applications does not meet the preconditions described for the vulnerability to be exploited.
The following steps should be taken on all computers on which FlexNet Manager for Engineering Applications components are installed:
Audit your logging configuration to ensure it has no JMSAppender configured.
Logging configuration is stored in files named log4j.xml. Such configuration would be highly unusual for a FlexNet Manager for Engineering Applications installation, and would only appear if a non-default configuration has been applied.
Ensure appropriate access controls are in place to ensure only authorized users have access to computers. (This is appropriate to do regardless of the impact from Log4j.)