AGECOM products and Log4j Vulnerability
Product:
All Products
>
Log4j
>
Version
All
Platform(s):
All
Edition(s):
All
Doc Number:
1000123
Published
17-Jan-2022
Last Updated: 17-Jan-2022
General Information
Are AGECOM products affected by the Log4j vulnerabilities reported under the following CVEs: CVE-2021-4104, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105?
Solution
AGECOM products are not affected by the vulnerabilities raised for the Apache Log4j libraries under the following CVEs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105. These relate to Log4j library versions 2.x through to 2.16. The version of Log4j used in AGECOM products is 1.2.16.
By default AGECOM products are not affected by the vulnerability raised under CVE-2021-4104. However if the default configuration has been changed and log4j appender configuration setting set to JMSAppender then a vulnerability may exist. To ensure the AGECOM products retain their default configuration and are not vulnerable check the log4j.properties file under the 'Export' or 'AGECOM' folders located under the Data directory on your Notes client or Domino server.
The default appender used by the AGECOM products is 'ConsoleAppender'. The following lines should appear in the log4j.properties file:
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%C.%M(%F:%L) %p: %m%n
All other appender lines should either be commented out or removed. There should not be any lines which relate to JMSAppender.
©
2022
AGE Computer Consultancy. All rights reserved.
Material may not be reproduced or distributed in any form without permission.