cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2021-44228 & CVE-2021-45105 : Log4j vulnerability impact on FlexNet Publisher

CVE-2021-44228 & CVE-2021-45105 : Log4j vulnerability impact on FlexNet Publisher

Summary:

A vulnerability identified as CVE-2021-44228 and CVE-2021-45105 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Problem Description:

Upon analysis, CVE-2021-44228 and CVE-2021-45105 has been determined to impact the optional part of alerter module under examples with the (FlexNet Publisher 64-bit License Server Manager) lmadmin.

Resolution:

FNP is not vulnerable to log4j vulnerability. It is just used in the example. Customers can also modify on their own.

Log4j version has been upgraded to 2.17.0 and an updated version of FNP 11.18.3.1 is now available in the Product and License Center.

Workaround:

For older versions of FNP other than 11.18.3.1, you can follow the below workaround.

Download the latest version of log Log4j like 2.15 or 2.16 or 2.17 then replace the following file in this path C:\Program Files\FlexNet Publisher 64-bit License Server Manager\examples\alerter\lib

From

log4j-1.2-api-2.13.3.jar

log4j-api-2.13.3.jar

log4j-core-2.13.3.jar

Replace to

log4j-1.2-api-2.16.0.jar

log4j-api-2.16.0.jar

log4j-core-2.16.0.jar

Or 

log4j-1.2-api-2.17.0.jar

log4j-api-2.17.0.jar

log4j-core-2.17.0.jar

Labels (4)
Tags (1)
Was this article helpful? Yes No
100% helpful (1/1)
Comments

So. If I am reading this correctly, the issue is in the alerter functionality and is an issue only if someone is running that? 

 

Darrell Jordan

Hi - 

Per CVE, log4j 2.15.0 is incomplete and still has a vulnerability. Version 2.16.0 has since been released. Will FNP 11.8.3.1 be updated accordingly?

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Thanks,

Paul

Hi @jordand You are right. 

Best Regards,

Hi @pauldebacker Thanks for the link "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" yes we are aware of this and let me update more details here for any change in the release 11.18.3.1 however you can follow the workaround and update to log4j 2.16.0 if required. 

Hi @pauldebacker The plan is to update FNP 11.8.3.1 with Version 2.16.0 and it will be available soon to download in PLC. 

Best Regards,

Thanks!

@mrathinam The FlexNet Agent contains log4j-1.2.17.jar but it is not listed as a separate product on this site?

What is the mitigation we should take if any?

 

 

Hi @bill_irvine Let me check and come back with more details. 

Best Regards,

@bill_irvine if you are referring to the FlexNet Agent which is a component of the FlexNet Manager product, you can refer to the Flexera product assessment details here: https://community.flexera.com/t5/Community-Notices/Flexera-s-response-to-Apache-Log4j-2-remote-code-execution/bc-p/216956#M83

 

Will we get an email when the new build is ready? 

Hi @jordand - a separate email will not be sent out, however if you subscribe to this KB article, you should receive an alert when this is updated with the new build announcement.

@jordand New build is already in the PLC for you to download. let me know if you have any more queries. 

@mrathinam Thanks. 

This build is not showing up in our available downloads. I have a ticket open requesting to get this but I have yet to have heard anything back on it. Is there any way I can find out who our Account Manager is and talk with them to get it? 

Darrell

@jordand  I found your case and we'll get you an update there as soon as possible.  

Hi @jordand as per the case update, now you should be able to see 11.18.3.1 in your account. 

Best Regards,

@mrathinam we were able to download the build. Thanks. 

Darrell

The version has been upgraded to 2.17 now in 11.18.3.1 kit. 

@mrathinam,@cvirata Can you please update the the information in the link? It seems I don't have  permissions to edit it. 

@Manjinder The article has been updated. Please message me internally if any other changes are required. 

Thanks to @cvirata  for the update, sorry I was on vacation. @Manjinder  all KBs are updated now. 

We downloaded 11.18.3.1 and the log4j files contained are 2.16.0 and not 2.17. We also noticed that when we run the installer, the installer shows 11.18.3.0 and not 3.1. 

 

jordand_0-1641332369284.png

 

We just want to make sure we are getting the right installer. 

 

Darrell Jordan

@jordand Thanks for your observation, let me do a quick test and come back with my update as soon as possible. 

Best Regards,

 

Hi, @jordand  Your observation is correct to let me work with our team to fix it, however, you can download lmadmin under FlexNet Publisher Licenses & Tools (11.18.3.1) and check the jar has the right version. 

For the UI version, 11.18.3.0 will be the original build number which will not change because the fix for only alerter (module) folder which is not required to rebuild the kit again to use it moreover we can easily replace the latest jar in the location and use it.  

Best Regards,

Mani. 

We downloaded 11.18.3.1 yesterday and it still had log4j 2.16 in it. 

 

Darrell

Hi @jordand Can you give me the location and file name to which you are referring so that  I can check and come back. 

Best Regards,

 

Here is the screenshot our development team sent to me. 

 

 

jordand_0-1641406273981.png

 

Hi @jordand  Thanks for the screenshot, I have downloaded the same file "FlexNet Publisher (lmadmin) Installer for Windows x86-32" and cleared the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and you can find the files are updated with 2.17 

lmadmin.JPG

Can you ask your team to uninstall and clear the old folder and install it again and check?. 

Also, share with me the output of lmadmin.exe -v

Best Regards,

 

@mrathinam They did clear out the old folder and reinstalled and it did show 2.17.0. A couple of other questions. 

1. Is there a plan to move to 2.17.1? We know there was another vulnerability in 2.17.0 and was wondering about this. 

2. Is there a way on a Windows system to know if someone was using the alerter function that the log4j files were used for? A customer of ours is not for sure if it was implemented or not as the person who set it all up for them is no longer with the company. 

Darrell

Hi @jordand Thanks for your confirmation.

1. FNP is not affected with CVE-2021-44832 so no need to upgrade to 2.17.1 however yet to get a confirmation for the upgrade, the same will be communicated in the community once we get a plan in place. 

2.  There is a log4j-detector in GitHub that will scan and Detect log4j versions on your file system, including deeply recursively nested copies (jars inside jars inside jars).  Will give the jar is _VULNERABLE_ or _OKAY_ or _SAFE_ and _OLD_ with that, we come to know if any jar is still affected and used in the system etc hope this helps. 

Best Regards,

@mrathinam, I cleared the contents of the old install and deleted the C:\Program Files (x86)\FlexNet Publisher License Server Manager folder and then installed the lmadmin and version 2.16 was present. Also, this unexpected error message appeared at the end of install stating "... some errors occurred during the install. Please see the installation log for details." The log doesn't exist. What errors occurred? Why is 2.16 still present?

2022-01-21_10-28-43.png

 

Note, this is the same error message that occurred here- Case Number: 02515987.

 

Hi @tblowe Thanks for all the replication details in the case, let me investigate further and update you on the case.

Best Regards,

Hi @tblowe Thanks for your test, so the fix is "Uninstalling jdk 17 and installing jdk 1.8 resolved this problem! " due to some known issue with the latest JDK we suggest using only supported (tested) JDK or JRE while installing the lmadmin. (want to use open JDK then 1.8 tested officially which will work without any issue). 

Best Regards,

Version history
Last update:
‎Dec 24, 2021 08:12 PM
Updated by:
Contributors