Lmtools License Manager

lathag · ‎Jan 06, 2022

Can you please confirm if Lmtools license Manager application (FlexNet) is affected by Log4j vulnerability?. If yes, please share the remediation & Mitigation steps.

mrathinam · ‎Jan 06, 2022

Hi @lathag Lmtools is not affected by Log4j vulnerability. Adding to that FNP is not vulnerable to log4j vulnerability however optional part of alerter module under examples with the (FlexNet Publisher 64-bit License Server Manager) lmadmin was affected, you can find remediation & Mitigation steps here

Best Regards,

lathag · ‎Jan 07, 2022

Hi Rathinam,

Thank you for your reply. We have Version v.11.12.1.4 build 154914 x64_n6 LMTOOLS by Flexera Software. As per the Mitigation steps, in the library file, we are finding

activation.jar, alerter.jar, axis.jar, axis-ant.jar, commons-discovery-0.2.jar, commons-logging-1.0.4.jar, jarxpc.jar, log4j-1.2.8.jar, mail.jar, saaj.jar, wsdlj4j-1.5.1.jar.

Can you please guide us in place of log4j-1.2.8.jar what should we replace.

Thank you.

mrathinam · ‎Jan 07, 2022

Hi @lathag I think Log4j 1.x is not impacted by this vulnerability so you can keep using the same jar.

However still if you want to replace it with latest version then

You can download the latest jar here https://logging.apache.org/log4j/2.x/download.html and replace only

From

log4j-1.2.8.jar

Replace to

log4j-1.2-api-2.17.1.jar

log4j-api-2.17.1.jar

log4j-core-2.17.1.jar

Best Regards,