ACAS vulnerabilities hitting for Log4J
One of our customer is getting ACAS vulnerabilities hitting for Log4J which is included in Flexlm license server setup version - lmadmin-x64_n6-22.214.171.124.
Path : C:\Users\ashish\Downloads\lmadmin-x64_n6-126.96.36.199\examples\alerter\lib\log4j-core-2.17.0.jar
Included version : 2.17.0
Fixed version : 2.17.1
Can this jar be simply replaced with the fixed jar version? Or is there any patch for this? Or can we delete 'examples' folder entirely?
Hi @ashish01, Yes, you can download the jar and replace it if required, more info @ https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2021-44228-amp-CVE-2021-45105-Log4j-Vulnerability-Impact-on/ta-p/217384
It's best to check with the software vendor for specific guidance. However, generally, updating the log4j-core jar to the fixed version or deleting the 'examples' folder (if not in use) should help mitigate the vulnerability. Always back up before making changes.