AGECOM products and Log4j Vulnerability


 Product:

 All Products > Log4j > Version All

 Platform(s):

 All

 Edition(s):

 All

 Doc Number:

 1000123
Published 17-Jan-2022
Last Updated: 17-Jan-2022

 General Information

Are AGECOM products affected by the Log4j vulnerabilities reported under the following CVEs: CVE-2021-4104, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105?

 Solution

AGECOM products are not affected by the vulnerabilities raised for the Apache Log4j libraries under the following CVEs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105. These relate to Log4j library versions 2.x through to 2.16. The version of Log4j used in AGECOM products is 1.2.16.

By default AGECOM products are not affected by the vulnerability raised under CVE-2021-4104. However if the default configuration has been changed and log4j appender configuration setting set to JMSAppender then a vulnerability may exist. To ensure the AGECOM products retain their default configuration and are not vulnerable check the log4j.properties file under the 'Export' or 'AGECOM' folders located under the Data directory on your Notes client or Domino server.

The default appender used by the AGECOM products is 'ConsoleAppender'. The following lines should appear in the log4j.properties file:
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%C.%M(%F:%L) %p: %m%n

All other appender lines should either be commented out or removed. There should not be any lines which relate to JMSAppender.



2022 AGE Computer Consultancy. All rights reserved.
Material may not be reproduced or distributed in any form without permission.