A vulnerability identified as CVE-2021-44228 and CVE-2021-45105 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.
Upon analysis, CVE-2021-44228 and CVE-2021-45105 has been determined to impact the optional part of alerter module under examples with the (FlexNet Publisher 64-bit License Server Manager) lmadmin.
IMPORTANT: FNP is not vulnerable to log4j vulnerability. It is just used in the example. Customers can also modify on their own.
Log4j version has been upgraded to 2.17.0 and an updated version of FNP 126.96.36.199 is now available in the Product and License Center.
For older versions of FNP other than 188.8.131.52, you can follow the below workaround.
Download the latest version of log Log4j like 2.15 or 2.16 or 2.17, and then replace each of the files in this path with its corresponding updated file:
C:\Program Files\FlexNet Publisher 64-bit License Server Manager\examples\alerter\lib
Replace these files:
With these files:
So. If I am reading this correctly, the issue is in the alerter functionality and is an issue only if someone is running that?
Per CVE, log4j 2.15.0 is incomplete and still has a vulnerability. Version 2.16.0 has since been released. Will FNP 184.108.40.206 be updated accordingly?
Hi @jordand You are right.
Hi @pauldebacker Thanks for the link "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" yes we are aware of this and let me update more details here for any change in the release 220.127.116.11 however you can follow the workaround and update to log4j 2.16.0 if required.
Hi @pauldebacker The plan is to update FNP 18.104.22.168 with Version 2.16.0 and it will be available soon to download in PLC.
@mrathinam The FlexNet Agent contains log4j-1.2.17.jar but it is not listed as a separate product on this site?
What is the mitigation we should take if any?
Hi @bill_irvine Let me check and come back with more details.
@bill_irvine if you are referring to the FlexNet Agent which is a component of the FlexNet Manager product, you can refer to the Flexera product assessment details here: https://community.flexera.com/t5/Community-Notices/Flexera-s-response-to-Apache-Log4j-2-remote-code-execution/bc-p/216956#M83
Will we get an email when the new build is ready?
Hi @jordand - a separate email will not be sent out, however if you subscribe to this KB article, you should receive an alert when this is updated with the new build announcement.
@jordand New build is already in the PLC for you to download. let me know if you have any more queries.
This build is not showing up in our available downloads. I have a ticket open requesting to get this but I have yet to have heard anything back on it. Is there any way I can find out who our Account Manager is and talk with them to get it?
@jordand I found your case and we'll get you an update there as soon as possible.
Hi @jordand as per the case update, now you should be able to see 22.214.171.124 in your account.
@mrathinam we were able to download the build. Thanks.
The version has been upgraded to 2.17 now in 126.96.36.199 kit.
@mrathinam,@cvirata Can you please update the the information in the link? It seems I don't have permissions to edit it.
@Manjinder The article has been updated. Please message me internally if any other changes are required.
Thanks to @cvirata for the update, sorry I was on vacation. @Manjinder all KBs are updated now.
We downloaded 188.8.131.52 and the log4j files contained are 2.16.0 and not 2.17. We also noticed that when we run the installer, the installer shows 184.108.40.206 and not 3.1.
We just want to make sure we are getting the right installer.
@jordand Thanks for your observation, let me do a quick test and come back with my update as soon as possible.
Hi, @jordand Your observation is correct to let me work with our team to fix it, however, you can download lmadmin under FlexNet Publisher Licenses & Tools (220.127.116.11) and check the jar has the right version.
For the UI version, 18.104.22.168 will be the original build number which will not change because the fix for only alerter (module) folder which is not required to rebuild the kit again to use it moreover we can easily replace the latest jar in the location and use it.
We downloaded 22.214.171.124 yesterday and it still had log4j 2.16 in it.
Hi @jordand Can you give me the location and file name to which you are referring so that I can check and come back.
Here is the screenshot our development team sent to me.
Hi @jordand Thanks for the screenshot, I have downloaded the same file "FlexNet Publisher (lmadmin) Installer for Windows x86-32" and cleared the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and you can find the files are updated with 2.17
Can you ask your team to uninstall and clear the old folder and install it again and check?. Also, share with me the output of lmadmin.exe -v
@mrathinam They did clear out the old folder and reinstalled and it did show 2.17.0. A couple of other questions.
1. Is there a plan to move to 2.17.1? We know there was another vulnerability in 2.17.0 and was wondering about this.
2. Is there a way on a Windows system to know if someone was using the alerter function that the log4j files were used for? A customer of ours is not for sure if it was implemented or not as the person who set it all up for them is no longer with the company.
Hi @jordand Thanks for your confirmation.
1. FNP is not affected with CVE-2021-44832 so no need to upgrade to 2.17.1 however yet to get a confirmation for the upgrade, the same will be communicated in the community once we get a plan in place.
2. There is a log4j-detector in GitHub that will scan and Detect log4j versions on your file system, including deeply recursively nested copies (jars inside jars inside jars). Will give the jar is _VULNERABLE_ or _OKAY_ or _SAFE_ and _OLD_ with that, we come to know if any jar is still affected and used in the system etc hope this helps.
_OKAY_ or _SAFE_ and _OLD_
@mrathinam, I cleared the contents of the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and version 2.16 was present. Also, this unexpected error message appeared at the end of install stating "... some errors occurred during the install. Please see the installation log for details." The log doesn't exist. What errors occurred? Why is 2.16 still present?
Note, this is the same error message that occurred here- Case Number: 02515987.
Hi @tblowe Thanks for all the replication details in the case, let me investigate further and update you on the case.
Hi @tblowe Thanks for your test, so the fix is "Uninstalling jdk 17 and installing jdk 1.8 resolved this problem! " due to some known issue with the latest JDK we suggest using only supported (tested) JDK or JRE while installing the lmadmin. (want to use open JDK then 1.8 tested officially which will work without any issue).