- Revenera Community
- :
- FlexNet Publisher
- :
- FlexNet Publisher Knowledge Base
- :
- CVE-2021-44228 & CVE-2021-45105: Log4j Vulnerability Impact on FlexNet Publisher
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
CVE-2021-44228 & CVE-2021-45105: Log4j Vulnerability Impact on FlexNet Publisher
CVE-2021-44228 & CVE-2021-45105: Log4j Vulnerability Impact on FlexNet Publisher
Summary
A vulnerability identified as CVE-2021-44228 and CVE-2021-45105 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.
Problem Description
Upon analysis, CVE-2021-44228 and CVE-2021-45105 has been determined to impact the optional part of alerter module under examples with the (FlexNet Publisher 64-bit License Server Manager) lmadmin.
Resolution
IMPORTANT: FNP is not vulnerable to log4j vulnerability. It is just used in the example. Customers can also modify on their own.
Log4j version has been upgraded to 2.17.0 and an updated version of FNP 11.18.3.1 is now available in the Product and License Center.
Workaround
For older versions of FNP other than 11.18.3.1, you can follow the below workaround.
Download the latest version of log Log4j like 2.15 or 2.16 or 2.17, and then replace each of the files in this path with its corresponding updated file:
C:\Program Files\FlexNet Publisher 64-bit License Server Manager\examples\alerter\lib
Replace these files:
log4j-1.2-api-2.13.3.jar
log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
With these files:
log4j-1.2-api-2.16.0.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
or
log4j-1.2-api-2.17.0.jar
log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
So. If I am reading this correctly, the issue is in the alerter functionality and is an issue only if someone is running that?
Darrell Jordan
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi -
Per CVE, log4j 2.15.0 is incomplete and still has a vulnerability. Version 2.16.0 has since been released. Will FNP 11.8.3.1 be updated accordingly?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Thanks,
Paul
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @jordand You are right.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @pauldebacker Thanks for the link "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" yes we are aware of this and let me update more details here for any change in the release 11.18.3.1 however you can follow the workaround and update to log4j 2.16.0 if required.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @pauldebacker The plan is to update FNP 11.8.3.1 with Version 2.16.0 and it will be available soon to download in PLC.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Thanks!
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@mrathinam The FlexNet Agent contains log4j-1.2.17.jar but it is not listed as a separate product on this site?
What is the mitigation we should take if any?
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @bill_irvine Let me check and come back with more details.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@bill_irvine if you are referring to the FlexNet Agent which is a component of the FlexNet Manager product, you can refer to the Flexera product assessment details here: https://community.flexera.com/t5/Community-Notices/Flexera-s-response-to-Apache-Log4j-2-remote-code-execution/bc-p/216956#M83
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Will we get an email when the new build is ready?
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @jordand - a separate email will not be sent out, however if you subscribe to this KB article, you should receive an alert when this is updated with the new build announcement.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@jordand New build is already in the PLC for you to download. let me know if you have any more queries.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@mrathinam Thanks.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
This build is not showing up in our available downloads. I have a ticket open requesting to get this but I have yet to have heard anything back on it. Is there any way I can find out who our Account Manager is and talk with them to get it?
Darrell
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@jordand I found your case and we'll get you an update there as soon as possible.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @jordand as per the case update, now you should be able to see 11.18.3.1 in your account.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@mrathinam we were able to download the build. Thanks.
Darrell
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
The version has been upgraded to 2.17 now in 11.18.3.1 kit.
@mrathinam,@cvirata Can you please update the the information in the link? It seems I don't have permissions to edit it.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@Manjinder The article has been updated. Please message me internally if any other changes are required.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Thanks to @cvirata for the update, sorry I was on vacation. @Manjinder all KBs are updated now.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
We downloaded 11.18.3.1 and the log4j files contained are 2.16.0 and not 2.17. We also noticed that when we run the installer, the installer shows 11.18.3.0 and not 3.1.
We just want to make sure we are getting the right installer.
Darrell Jordan
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@jordand Thanks for your observation, let me do a quick test and come back with my update as soon as possible.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi, @jordand Your observation is correct to let me work with our team to fix it, however, you can download lmadmin under FlexNet Publisher Licenses & Tools (11.18.3.1) and check the jar has the right version.
For the UI version, 11.18.3.0 will be the original build number which will not change because the fix for only alerter (module) folder which is not required to rebuild the kit again to use it moreover we can easily replace the latest jar in the location and use it.
Best Regards,
Mani.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
We downloaded 11.18.3.1 yesterday and it still had log4j 2.16 in it.
Darrell
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @jordand Can you give me the location and file name to which you are referring so that I can check and come back.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Here is the screenshot our development team sent to me.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @jordand Thanks for the screenshot, I have downloaded the same file "FlexNet Publisher (lmadmin) Installer for Windows x86-32" and cleared the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and you can find the files are updated with 2.17
Can you ask your team to uninstall and clear the old folder and install it again and check?.
Also, share with me the output of lmadmin.exe -v
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@mrathinam They did clear out the old folder and reinstalled and it did show 2.17.0. A couple of other questions.
1. Is there a plan to move to 2.17.1? We know there was another vulnerability in 2.17.0 and was wondering about this.
2. Is there a way on a Windows system to know if someone was using the alerter function that the log4j files were used for? A customer of ours is not for sure if it was implemented or not as the person who set it all up for them is no longer with the company.
Darrell
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @jordand Thanks for your confirmation.
1. FNP is not affected with CVE-2021-44832 so no need to upgrade to 2.17.1 however yet to get a confirmation for the upgrade, the same will be communicated in the community once we get a plan in place.
2. There is a log4j-detector in GitHub that will scan and Detect log4j versions on your file system, including deeply recursively nested copies (jars inside jars inside jars). Will give the jar is _VULNERABLE_
or _OKAY_ or _SAFE_ and _OLD_
with that, we come to know if any jar is still affected and used in the system etc hope this helps.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
@mrathinam, I cleared the contents of the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and version 2.16 was present. Also, this unexpected error message appeared at the end of install stating "... some errors occurred during the install. Please see the installation log for details." The log doesn't exist. What errors occurred? Why is 2.16 still present?
Note, this is the same error message that occurred here- Case Number: 02515987.
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @tblowe Thanks for all the replication details in the case, let me investigate further and update you on the case.
Best Regards,
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Hi @tblowe Thanks for your test, so the fix is "Uninstalling jdk 17 and installing jdk 1.8 resolved this problem! " due to some known issue with the latest JDK we suggest using only supported (tested) JDK or JRE while installing the lmadmin. (want to use open JDK then 1.8 tested officially which will work without any issue).
Best Regards,