AGECOM products and Log4j Vulnerability
Last Updated: 17-Jan-2022
Are AGECOM products affected by the Log4j vulnerabilities reported under the following CVEs: CVE-2021-4104, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105?
AGECOM products are not affected by the vulnerabilities raised for the Apache Log4j libraries under the following CVEs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105. These relate to Log4j library versions 2.x through to 2.16. The version of Log4j used in AGECOM products is 1.2.16.
By default AGECOM products are not affected by the vulnerability raised under CVE-2021-4104. However if the default configuration has been changed and log4j appender configuration setting set to JMSAppender then a vulnerability may exist. To ensure the AGECOM products retain their default configuration and are not vulnerable check the log4j.properties file under the 'Export' or 'AGECOM' folders located under the Data directory on your Notes client or Domino server.
The default appender used by the AGECOM products is 'ConsoleAppender'. The following lines should appear in the log4j.properties file:
log4j.appender.stdout.layout.ConversionPattern=%C.%M(%F:%L) %p: %m%n
All other appender lines should either be commented out or removed. There should not be any lines which relate to JMSAppender.
AGE Computer Consultancy. All rights reserved.
Material may not be reproduced or distributed in any form without permission.