This article provides supplemental information to SB10377, regarding on-premises ePO and the log4j vulnerabilities.

The CVEs involved include:

• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-45105
• CVE-2021-44832.

Our formal response regarding product impact to the log4j vulnerabilities is available in SB10377 - McAfee Enterprise products' status for "Log4Shell" (CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105).

You can find information about our malware coverage for log4shell in KB95091 - McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. 

Hotfix release details
To respond as rapidly as possible, two hotfixes were released for ePO which incremented log4j. Both of these hotfixes have been pulled from our download site because they’re no longer needed with the release of ePO 5.10 Update 12. 
 

ePO Version	Release Date	Log4j Version	CVEs Addressed	Comments
ePO 5.10 Update 12	January 11 2022	2.17.1	CVE-2021-44228 CVE-2021-45046 CVE-2021-45105
ePO 5.10 Update 11 Hotfix 2	December 21 2021	2.17.0	CVE-2021-44228 CVE-2021-45046 CVE-2021-45105	Not Available. Superseded by ePO 5.10 Update 12.
ePO 5.10 Update 11 Hotfix 1	December 16 2021	2.16.0	CVE-2021-44228	Not Available. Superseded by ePO 5.10 Update 11 Hotfix 2.

IMPORTANT:

• Both of the hotfixes could only be installed on ePO 5.10 update 11.
• Both hotfixes needed to be manually removed before using the Repair feature on ePO 5.10 Update 11.
• You can apply ePO 5.10 Update 12, regardless of whether you have applied either hotfix.

Frequently Asked Questions

If I have installed ePO 5.10 Update 11 Hotfix 1, must I upgrade to ePO 5.10 Update 12?
Yes. ePO 5.10 Update 11 Hotfix 1 addressed CVE-2021-44228, but it doesn’t address CVE-2021-45046 or CVE-2021-45105. 

If I have installed ePO 5.10 Update 11 Hotfix 2, must I upgrade to ePO 5.10 Update 12?
It is not needed, but you can. No additional vulnerabilities are addressed between ePO 5.10 Update 11 Hotfix 2 and ePO 5.10 Update 12 because ePO isn’t vulnerable to CVE-2021-44832. See KB95123 - ePolicy Orchestrator Sustaining Statement (SSC2112291) - Response to Log4j vulnerability CVE-2021-44832 for documentation on why ePO isn’t vulnerable to CVE-2021-44832. 

If ePO isn’t vulnerable to CVE-2021-44832, why does ePO 5.10 Update 12 deliver log4j version 2.17.1?
A decision was made while responding to log4j that we would follow up our hotfix releases with a cumulative update release. The update only incremented log4j, and provided the latest build available at the time of the release. 

If I have applied ePO 5.10 Update 11 Hotfix 1 or 2, do I need to remove them before applying Update 12?
No. You can remove the files you backed up when you apply the hotfixes. It’s optional, but isn’t needed.
Assuming you used the same file names we recommended in the hotfix release notes, you can safely remove the files below  after you apply Update 12 or later:

• log4j-1.2-api-2.14.1.jar.bak
• log4j-1.2-api-2.14.1.jar.sig.bak
• log4j-api-2.14.1.jar.bak
• log4j-api-2.14.1.jar.sig.bak
• log4j-core-2.14.1.jar.bak
• log4j-core-2.14.1.jar.sig.bak
• log4j-1.2-api-2.16.0.jar.bak
• log4j-1.2-api-2.16.0.jar.sig.bak
• log4j-api-2.16.0.jar.bak
• log4j-api-2.16.0.jar.sig.bak
• log4j-core-2.16.0.jar.bak
• log4j-core-2.16.0.jar.sig.bak

NOTE: You might not have all of the files listed above. It depends on whether you applied hotfix 1, hotfix 2, or both. 

Why is my vulnerability scanner flagging Agent Handlers as vulnerable to one or more log4j vulnerabilities?
The same cumulative update package you apply on the ePO server is used to update Agent Handlers. This package contains a copy of the log4j libraries to update the Application Server. When you apply an update to an Agent Handler, it copies the contents of the entire package to the <AH Install Dir>\Updater folder. The presence of these JAR files is what the scanner is detecting. Because these files aren’t used by the handler, you can either ignore the scan results or remove the files.

Why is my vulnerability scanner flagging my ePO server as vulnerable to a log4j vulnerabilities after I’ve applied Update 12?
When you apply an update on the ePO server, it copies the entire update package to the <ePO Install Directory>\Updates folder. This location might also contain some log4j JAR files. ePO only loads the log4j libraries from the <ePO Install Dir>\Server\Lib folder. Any copies of the log4j JAR files in any other location that ePO doesn't use can be removed. But, not without potential downsides outside of the day-to-day operation of ePO. 

This table outlines the file locations and potential problems with removing them. This table assumes you use the default ePO installation directory. 
 

File Location	JAR files can be Deleted or Renamed?	Potential Impact
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\	No	ePO fails to function. Tomcat service might not start, or initialize properly.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Updates\	Yes	Rollback and Repair feature of the Update tool can fail.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\	Yes	Repair of ePO install might fail.

NOTE: The paths above include any subfolders in the referenced path.

Do I need to remove the previously published mitigation instructions that were documented in SB10377 for ePO before or after applying ePO 5.10 Update 12?
No. The mitigation instructions for ePO can be left in place; they have no negative impact on ePO. If you want to remove them, the instructions for doing so are documented in SB10377 - McAfee Enterprise products' status for "Log4Shell" (CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105).

Do CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105 apply to ePO 5.10 Update 10 or earlier? If not, why? 
None of the CVEs apply to ePO 5.10 Update 10 or earlier. For CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105, is because those vulnerabilities only apply to log4j 2.x, while ePO 5.10 Update 10 and earlier use log4j 1.2. CVE-2021-4104 applies to log4j 1.2, but you’re only vulnerable if the JMSAppender is implemented. ePO doesn’t implement the JMSAppender.