Log4J Vulnerabilities

Rohit_Dabas · April 28, 2024, 12:50pm

webMethods IS used and 10.11 & 10.3 level:

We are getting lot of vulnerabilities during scans because of log4j and planning to upgrade to log4j2 latest version, can someone suggest how can plan our upgrade activity.

If possible please confirm what all files/jars needs to be updated.

Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-45046) (Log4Shell) Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-44832)
EOL/Obsolete Software: Apache Log4j 1.X Detected
Apache Log4j 1.2 Remote Code Execution Vulnerability

Holger_von_Thomsen · April 29, 2024, 8:56am

Hi Rohit,

hopefully you have support contracts with SAG (Extended for 10.3) in place.
SAG has released Fixes for this third party component to remediate these vulnerabilities already.

For 10.3 this should be at least TPP_10.3_log4J_Fix2, which updates to log4j 1.2.18.3.
For 10.11 this should be at least TPP_10.11_Loggers_Fix1 and TPS_10.11_Loggers_Fix1, which updates to log4j 2.16.0.

You should consider upgrading both versions to wM 10.15 as soon as possible.

Regards,
Holger

Rohit_Dabas · April 29, 2024, 9:20am

Thanks holder, we upgraded fixes on 10.11 and the log4j is updated to 2.17.1.
We’ll upgrade our 10.3 server to 10.11 soon.

engin_arlak · April 29, 2024, 3:08pm

I suggest upgrading the webMethods version instead of just updating log4j. There are probably a lot more vulnerabilities since that version stopped receiving updates.

Sravya.V · April 30, 2024, 8:51am

Hi SARLAK,

Thanks for your suggestion and information. We will check with our manager and update here.

Regards,
Sravya.

reamon · April 30, 2024, 3:14pm

EOM for 10.11 is Oct 2024. You should plan to move to 10.15 instead.