Dec 21, 2021
07:06 AM
Thanks @jefflaing , I'll go hunting again! Edit: I checked and all I have is the two files. Edit 2: I had a date filter and found a bunch more. It's still early here...
... View more
Dec 20, 2021
10:07 AM
1 Kudo
I found another xml file that I suspect needs to be patched: C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\classes\flexnet-log4j.xml <PatternLayout pattern="%m{nolookups}%n"/>
... View more
Dec 20, 2021
08:19 AM
1 Kudo
@pauli_tuominen, @jefflaing Use at your own risk, this is what we tested over the weekend but now we'll have to test with 2.17. I looked at removing outbound internet access but we have this server at AWS and didn't want to break communications with any of their stuff. We were at version 2.8.2 of log4j. For any paths below I'm referring to Log4j locations on my FNO 2018 R1 Windows server. I'd search your server for where they may be squirreled away. On Windows I love using AgentRansack for searches. ** Installing 2.16 ** https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html Locations on my server: C:\Program Files\FlexNet Operations\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\lib\ C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\lib\ Stop FlexNet services, apply the updates, and reboot. ** Removing JndiLookup.class from the classpath: ** $ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class For this I used 7-Zip to open all the log4j-cor*.jar files mentioned above , navigated to org/apache/logging/log4j/core/lookup and deleted JndiLookup.class ** PatternLayout fix ** Edited Log4j2.xml in the locations below: C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\classes C:\Program Files\FlexNet Operations\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\classes Change the PatternLayout line to read: <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg{nolookups}%n"/>
... View more
Dec 19, 2021
05:18 PM
2 Kudos
@jefflaing Initially we did the "remove the JndiLookup.class" fix and another fix but figured out how to replace the log4j files. There were 4 and we tested it last night and all seems to be well. We're running MS SQLServer. We've done this to a test server and tomorrow am I'll write this up and we want to do the production server tomorrow, we've disabled internet access to it and it's been unavailable to our customers for a week now. I'll post the write-up as soon as I'm finished. Jim
... View more
Dec 17, 2021
04:06 PM
2 Kudos
We've applied logj4 2.16 to FNO 2018 R1 and initial testing seems to work ok - has anyone else done this?
... View more
Dec 16, 2021
10:57 AM
@mkulvietis - the KB article mentions "Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true" - have you done that? I'm not sure if that's done in the System variables for Windows or if that is set on the command line for running FNO.
... View more
Dec 16, 2021
10:40 AM
@cvirata- These look to be directions for a Linux install - what is the process for a Windows installation? Also, will 2018 R1 be patched? Edit: I understand the removal of the JndiLookup.class but the PatternLayout change is not clear.
... View more
Dec 16, 2021
06:49 AM
Is there any sort of update on when we can expect a patch for FlexNet Operations On-Premises? We have had to take this server offline and it is affecting our ability for customers to activate their licenses.
... View more
Dec 14, 2021
08:44 AM
Version 2.16.0 of Log4j has been released.
... View more
Dec 13, 2021
01:29 PM
2 Kudos
Has anyone heard any response from Flexera?
... View more
About
Director of Information Technology
Cary, NC
Latest posts by jholcomb
Subject | Views | Posted |
---|---|---|
8121 | Dec 21, 2021 07:06 AM | |
8561 | Dec 20, 2021 10:07 AM | |
8647 | Dec 20, 2021 08:19 AM | |
9064 | Dec 19, 2021 05:18 PM | |
9233 | Dec 17, 2021 04:06 PM | |
10393 | Dec 16, 2021 10:57 AM | |
10420 | Dec 16, 2021 10:40 AM | |
10684 | Dec 16, 2021 06:49 AM | |
14196 | Dec 14, 2021 08:44 AM | |
40274 | Dec 13, 2021 01:29 PM |
Activity Feed
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228) on Revenera Company News. Dec 21, 2021 07:06 AM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228). Dec 21, 2021 02:08 AM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228). Dec 21, 2021 02:08 AM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228) on Revenera Company News. Dec 20, 2021 10:07 AM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228) on Revenera Company News. Dec 20, 2021 08:19 AM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228). Dec 20, 2021 04:00 AM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228). Dec 20, 2021 03:59 AM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228). Dec 19, 2021 06:14 PM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228) on Revenera Company News. Dec 19, 2021 05:18 PM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228). Dec 19, 2021 03:35 PM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-4104, CVE-2021-45046, CVE-2021-44228) on Revenera Company News. Dec 17, 2021 04:06 PM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228) on Revenera Company News. Dec 16, 2021 10:57 AM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228) on Revenera Company News. Dec 16, 2021 10:40 AM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228) on Revenera Company News. Dec 16, 2021 06:49 AM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228) on Revenera Company News. Dec 14, 2021 08:44 AM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228). Dec 13, 2021 04:38 PM
- Kudoed Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228) for dennis_reinhardt. Dec 13, 2021 01:58 PM
- Posted Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228) on Community Notices. Dec 13, 2021 01:29 PM
- Got a Kudo for Re: Security Advisory: Log4j Java Vulnerability (CVE-2021-44228). Dec 13, 2021 01:29 PM