The file log4j-1.2.17.jar can trigger vulnerability scans to report as a potential risk

Technical Articles ID: KB95408
Last Modified: 2022-03-25 07:34:08 Etc/GMT

Environment

Data Exchange Layer (DXL) 6.0

Linux Operating System

Problem

The file log4j-1.2.17.jar can trigger some vulnerability scanners as a potential risk.

The file is included with DXL Broker 6.0 and can be found in the directory /opt/McAfee/dxlbroker/ipe/lib/log4j-1.2.17.jar

Solution

The file log4j-1.2.17.jar isn’t considered vulnerable for DXL.

To support not being vulnerable is covered in the content listed below:

KB95091 - Coverage for Apache Log4j CVE-2021-44228 Remote Code Execution.
SB10377 - REGISTERED - Security Bulletin - Product status for "Log4Shell" (CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832).

NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.

NOTE: The log4j-1.2.17.jar file is planned to be updated to a 2.x version when the DXL 6.0.3 Broker is released. The false detection issue is resolved after a successful upgrade.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

The file log4j-1.2.17.jar can trigger vulnerability scans to report as a potential risk

Environment

Problem

Solution

Affected Products

Languages:

Title

Title

Knowledge Center

The file log4j-1.2.17.jar can trigger vulnerability scans to report as a potential risk

Environment

Problem

Solution

Affected Products

Languages:

Choose your region

Title

Title