WebM 10.3 - Get used log4j version and upgrade it

What product/components do you use and which version/fix level?

webMethods 10.3 Integration Server Fix #11 and Universal Messaging Fix #16

Are you using a free trial or a product with a customer license?

Customer License

What are trying to achieve? Please describe in detail.

I would like to know the actual version of Log4J used in our Integration Server and Universal Messaging. We executed the command "find . -type f ( -name 'log4j-core.jar’ -o -name ‘log4j.core.jar’ )"* and it displayed the following message:

./common/EventPersistence/es564/log4j-core.jar
./profiles/IS_default/configuration/org.eclipse.osgi/69/0/.cp/log4j-core-2.9.1.jar
./profiles/MWS_default/configuration/org.eclipse.osgi/114/0/.cp/log4j-core-2.9.1.jar

Does this confirm that we are using version 2.9 of log4j? How can we upgrade to version 2.17?

Do you get any error messages? Please provide a full error message screenshot and log file.

No error messages

Hi @Renan_Lopes1,
Integration Server 10.3 and Universal Messaging 10.3 use Log4j1 and log4j1 is not impacted so no fix is needed. The 2.9 version of Log4j you found is used by the Event Routing component that is installed with Integration Server. There is a fix planned to upgrade this log4j 2.9 to latest. You can find details about it at the bottom of this page: https://getsupport.softwareag.com/servicedesk/customer/kb/view/62982407#webMethodsFixesforLog4jZeroDaysecurityvulnerability-Version10.3andbelow

As communicated earlier, you can remove the JndiLookup.class by referring to the Event Persistence (Version 10.3) section on this page https://getsupport.softwareag.com/servicedesk/customer/kb/view/64095109#Log4jZeroDaysecurityvulnerabilityforwebMethods-Manualsolution:StepstoremovetheJndiLookup.class

2 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.