Thanks @jefflaing , I'll go hunting again! Edit: I checked and all I have is the two files. Edit 2: I had a date filter and found a bunch more.  It's still early here... ... View more

I found another xml file that I suspect needs to be patched: C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\classes\flexnet-log4j.xml <PatternLayout pattern="%m{nolookups}%n"/> ... View more

@pauli_tuominen, @jefflaing Use at your own risk, this is what we tested over the weekend but now we'll have to test with 2.17. I looked at removing outbound internet access but we have this server at AWS and didn't want to break communications with any of their stuff. We were at version 2.8.2 of log4j. For any paths below I'm referring to Log4j locations on my FNO 2018 R1 Windows server. I'd search your server for where they may be squirreled away. On Windows I love using AgentRansack for searches. ** Installing 2.16 ** https://docs.jamf.com/technical-articles/Mitigating_the_Apache_Log4j_2_Vulnerability.html Locations on my server: C:\Program Files\FlexNet Operations\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\lib\ C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\lib\ Stop FlexNet services, apply the updates, and reboot. ** Removing JndiLookup.class from the classpath: ** $ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class For this I used 7-Zip to open all the log4j-cor*.jar files mentioned above , navigated to org/apache/logging/log4j/core/lookup and deleted JndiLookup.class ** PatternLayout fix ** Edited Log4j2.xml in the locations below: C:\Program Files\FlexNet Operations\release\flexnet.ear\flexnet.war\WEB-INF\classes C:\Program Files\FlexNet Operations\components\wildfly\standalone\deployments\flexnet.ear\flexnet.war\WEB-INF\classes Change the PatternLayout line to read:       <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg{nolookups}%n"/>   ... View more

@jefflaing Initially we did the "remove the JndiLookup.class" fix and another fix but figured out how to replace the log4j files. There were 4 and we tested it last night and all seems to be well. We're running MS SQLServer. We've done this to a test server and tomorrow am I'll write this up and we want to do the production server tomorrow, we've disabled internet access to it and it's been unavailable to our customers for a week now. I'll post the write-up as soon as I'm finished. Jim ... View more

We've applied logj4 2.16 to FNO 2018 R1 and initial testing seems to work ok - has anyone else done this? ... View more

@mkulvietis - the KB article mentions "Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true" - have you done that? I'm not sure if that's done in the System variables for Windows or if that is set on the command line for running FNO. ... View more

@cvirata- These look to be directions for a Linux install - what is the process for a Windows installation? Also, will 2018 R1 be patched? Edit: I understand the removal of the JndiLookup.class but the PatternLayout change is not clear. ... View more

Is there any sort of update on when we can expect a patch for FlexNet Operations On-Premises? We have had to take this server offline and it is affecting our ability for customers to activate their licenses. ... View more

Version 2.16.0 of Log4j has been released. ... View more

Has anyone heard any response from Flexera? ... View more