AGECOM products and Log4j Vulnerability


 All Products > Log4j > Version All





 Doc Number:

Published 17-Jan-2022
Last Updated: 17-Jan-2022

 General Information

Are AGECOM products affected by the Log4j vulnerabilities reported under the following CVEs: CVE-2021-4104, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105?


AGECOM products are not affected by the vulnerabilities raised for the Apache Log4j libraries under the following CVEs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105. These relate to Log4j library versions 2.x through to 2.16. The version of Log4j used in AGECOM products is 1.2.16.

By default AGECOM products are not affected by the vulnerability raised under CVE-2021-4104. However if the default configuration has been changed and log4j appender configuration setting set to JMSAppender then a vulnerability may exist. To ensure the AGECOM products retain their default configuration and are not vulnerable check the file under the 'Export' or 'AGECOM' folders located under the Data directory on your Notes client or Domino server.

The default appender used by the AGECOM products is 'ConsoleAppender'. The following lines should appear in the file:
log4j.appender.stdout.layout.ConversionPattern=%C.%M(%F:%L) %p: %m%n

All other appender lines should either be commented out or removed. There should not be any lines which relate to JMSAppender.

2022 AGE Computer Consultancy. All rights reserved.
Material may not be reproduced or distributed in any form without permission.