CVE-2021-44228 & CVE-2021-45105: Log4j Vulnerability Impact on FlexNet Publisher

3 Kudos

Summary

A vulnerability identified as CVE-2021-44228 and CVE-2021-45105 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Problem Description

Upon analysis, CVE-2021-44228 and CVE-2021-45105 has been determined to impact the optional part of alerter module under examples with the (FlexNet Publisher 64-bit License Server Manager) lmadmin.

Resolution

IMPORTANT: FNP is not vulnerable to log4j vulnerability. It is just used in the example. Customers can also modify on their own.

Log4j version has been upgraded to 2.17.0 and an updated version of FNP 11.18.3.1 is now available in the Product and License Center.

Workaround

For older versions of FNP other than 11.18.3.1, you can follow the below workaround.

Download the latest version of log Log4j like 2.15 or 2.16 or 2.17, and then replace each of the files in this path with its corresponding updated file:

C:\Program Files\FlexNet Publisher 64-bit License Server Manager\examples\alerter\lib

Replace these files:

log4j-1.2-api-2.13.3.jar
log4j-api-2.13.3.jar
log4j-core-2.13.3.jar

With these files:

log4j-1.2-api-2.16.0.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar

or

log4j-1.2-api-2.17.0.jar
log4j-api-2.17.0.jar
log4j-core-2.17.0.jar

jordand · ‎Dec 14, 2021

So. If I am reading this correctly, the issue is in the alerter functionality and is an issue only if someone is running that?

Darrell Jordan

pauldebacker · ‎Dec 14, 2021

Hi -

Per CVE, log4j 2.15.0 is incomplete and still has a vulnerability. Version 2.16.0 has since been released. Will FNP 11.8.3.1 be updated accordingly?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Thanks,

Paul

mrathinam · ‎Dec 14, 2021

Hi @jordand You are right.

Best Regards,

mrathinam · ‎Dec 14, 2021

Hi @pauldebacker Thanks for the link "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" yes we are aware of this and let me update more details here for any change in the release 11.18.3.1 however you can follow the workaround and update to log4j 2.16.0 if required.

mrathinam · ‎Dec 15, 2021

Hi @pauldebacker The plan is to update FNP 11.8.3.1 with Version 2.16.0 and it will be available soon to download in PLC.

Best Regards,

pauldebacker · ‎Dec 15, 2021

Thanks!

bill_irvine · ‎Dec 16, 2021

@mrathinam The FlexNet Agent contains log4j-1.2.17.jar but it is not listed as a separate product on this site?

What is the mitigation we should take if any?

mrathinam · ‎Dec 16, 2021

Hi @bill_irvine Let me check and come back with more details.

Best Regards,

cvirata · ‎Dec 16, 2021

@bill_irvine if you are referring to the FlexNet Agent which is a component of the FlexNet Manager product, you can refer to the Flexera product assessment details here: https://community.flexera.com/t5/Community-Notices/Flexera-s-response-to-Apache-Log4j-2-remote-code-execution/bc-p/216956#M83

jordand · ‎Dec 17, 2021

Will we get an email when the new build is ready?

cvirata · ‎Dec 17, 2021

Hi @jordand - a separate email will not be sent out, however if you subscribe to this KB article, you should receive an alert when this is updated with the new build announcement.

mrathinam · ‎Dec 19, 2021

@jordand New build is already in the PLC for you to download. let me know if you have any more queries.

jordand · ‎Dec 20, 2021

@mrathinam Thanks.

jordand · ‎Dec 20, 2021

This build is not showing up in our available downloads. I have a ticket open requesting to get this but I have yet to have heard anything back on it. Is there any way I can find out who our Account Manager is and talk with them to get it?

Darrell

lshigemasa · ‎Dec 20, 2021

@jordand I found your case and we'll get you an update there as soon as possible.

mrathinam · ‎Dec 21, 2021

Hi @jordand as per the case update, now you should be able to see 11.18.3.1 in your account.

Best Regards,

jordand · ‎Dec 22, 2021

@mrathinam we were able to download the build. Thanks.

Darrell

Manjinder · ‎Dec 23, 2021

The version has been upgraded to 2.17 now in 11.18.3.1 kit.

@mrathinam,@cvirata Can you please update the the information in the link? It seems I don't have permissions to edit it.

cvirata · ‎Dec 24, 2021

@Manjinder The article has been updated. Please message me internally if any other changes are required.

mrathinam · ‎Dec 27, 2021

Thanks to @cvirata for the update, sorry I was on vacation. @Manjinder all KBs are updated now.

jordand · ‎Jan 04, 2022

We downloaded 11.18.3.1 and the log4j files contained are 2.16.0 and not 2.17. We also noticed that when we run the installer, the installer shows 11.18.3.0 and not 3.1.

We just want to make sure we are getting the right installer.

Darrell Jordan

mrathinam · ‎Jan 04, 2022

@jordand Thanks for your observation, let me do a quick test and come back with my update as soon as possible.

Best Regards,

mrathinam · ‎Jan 05, 2022

Hi, @jordand Your observation is correct to let me work with our team to fix it, however, you can download lmadmin under FlexNet Publisher Licenses & Tools (11.18.3.1) and check the jar has the right version.

For the UI version, 11.18.3.0 will be the original build number which will not change because the fix for only alerter (module) folder which is not required to rebuild the kit again to use it moreover we can easily replace the latest jar in the location and use it.

Best Regards,

Mani.

jordand · ‎Jan 05, 2022

We downloaded 11.18.3.1 yesterday and it still had log4j 2.16 in it.

Darrell

mrathinam · ‎Jan 05, 2022

Hi @jordand Can you give me the location and file name to which you are referring so that I can check and come back.

Best Regards,

jordand · ‎Jan 05, 2022

Here is the screenshot our development team sent to me.

mrathinam · ‎Jan 06, 2022

Hi @jordand Thanks for the screenshot, I have downloaded the same file "FlexNet Publisher (lmadmin) Installer for Windows x86-32" and cleared the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and you can find the files are updated with 2.17

Can you ask your team to uninstall and clear the old folder and install it again and check?.

Also, share with me the output of lmadmin.exe -v

Best Regards,

jordand · ‎Jan 06, 2022

@mrathinam They did clear out the old folder and reinstalled and it did show 2.17.0. A couple of other questions.

1. Is there a plan to move to 2.17.1? We know there was another vulnerability in 2.17.0 and was wondering about this.

2. Is there a way on a Windows system to know if someone was using the alerter function that the log4j files were used for? A customer of ours is not for sure if it was implemented or not as the person who set it all up for them is no longer with the company.

Darrell

mrathinam · ‎Jan 06, 2022

Hi @jordand Thanks for your confirmation.

1. FNP is not affected with CVE-2021-44832 so no need to upgrade to 2.17.1 however yet to get a confirmation for the upgrade, the same will be communicated in the community once we get a plan in place.

2. There is a log4j-detector in GitHub that will scan and Detect log4j versions on your file system, including deeply recursively nested copies (jars inside jars inside jars). Will give the jar is _VULNERABLE_ or _OKAY_ or _SAFE_ and _OLD_ with that, we come to know if any jar is still affected and used in the system etc hope this helps.

Best Regards,

tblowe · ‎Jan 21, 2022

@mrathinam, I cleared the contents of the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and version 2.16 was present. Also, this unexpected error message appeared at the end of install stating "... some errors occurred during the install. Please see the installation log for details." The log doesn't exist. What errors occurred? Why is 2.16 still present?

Note, this is the same error message that occurred here- Case Number: 02515987.

mrathinam · ‎Jan 24, 2022

Hi @tblowe Thanks for all the replication details in the case, let me investigate further and update you on the case.

Best Regards,

mrathinam · ‎Feb 07, 2022

Hi @tblowe Thanks for your test, so the fix is "Uninstalling jdk 17 and installing jdk 1.8 resolved this problem! " due to some known issue with the latest JDK we suggest using only supported (tested) JDK or JRE while installing the lmadmin. (want to use open JDK then 1.8 tested officially which will work without any issue).

Best Regards,