SoftTree Technologies SoftTree Technologies
Technical Support Forums
RegisterSearchFAQMemberlistUsergroupsLog in
Upgrade for Log4J 2.16.0

 
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite View previous topic
View next topic
Upgrade for Log4J 2.16.0
Author Message
Don Macary



Joined: 13 Aug 2003
Posts: 50

Post Upgrade for Log4J 2.16.0 Reply with quote
Can you explain how to incorporate log4j 2.16 into the current version of 24x7?
I had though version 6.1 would use the new jar but it seems it is still installing 2.15.

Softtree's website recommends upgrading but not sure how that is done.


Update, December 16, 2021: A new issue has been reported after Log4j2 version 2.15.0 release. In non default configurations version 2.15.0 might be vulnerable to Denial of Service attacks. We strongly recommend updating to 2.16.0 at the time of the release of this article.
Fri Aug 26, 2022 3:16 pm View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7629

Post Reply with quote
It installs not vulnerable and additionally protected version 1.17, it's not 2.x which was impacted by multiple discovered exploits. The referenced recommendation is for upgrade to version 6.1, and for patching versions 2.x of log4j if your other applications if you use. :-)
Fri Aug 26, 2022 5:23 pm View user's profile Send private message
Don Macary



Joined: 13 Aug 2003
Posts: 50

Post Reply with quote
Should I be concerned with this file:

log4j-1.2.15-minimized.jar?
Sun Aug 28, 2022 8:22 pm View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7629

Post Reply with quote
It's a good, safe version. You don't need to patch it.
Mon Aug 29, 2022 12:29 am View user's profile Send private message
Don Macary



Joined: 13 Aug 2003
Posts: 50

Post Reply with quote
My customer has asked me to get more info about this.

The new version 6.1 was installed and their Tenable scan is still highlighting the log4j.1.2.17.jar file as potentially vulnerable.

Specifically they are concerned that the log4j version 1.17 is at End of Life (EOL) and can't / won't be patched in the future.

Is version 6.1 really using that old version of log4j? Or maybe you are using the log4j bridge that allows use of the newer 2.x log4j ?

What is softtree's position on this?

thanks
Fri Sep 09, 2022 11:05 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7629

Post Reply with quote
Our official position is that version 1.2 is known not to be vulnerable to the reported issues. We maintain and support it and if necessary we will deliver any required fixes. We have also stripped it down to the code being used and removed all extra features. It's basically an integrated critical component. Replacing it with more recent new major versions is somewhat risky, they are not fully backward compatible, have not been fully tested. Also, considering their shorter life span and additions of many new features, they may actually have a higher risk level. Our recommendation is not to upgrade 1.2 to more recent versions, and leave it to us.
Fri Sep 09, 2022 11:46 am View user's profile Send private message
Don Macary



Joined: 13 Aug 2003
Posts: 50

Post Reply with quote
thanks excellent reply.
Fri Sep 09, 2022 1:15 pm View user's profile Send private message
Display posts from previous:    
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite All times are GMT - 4 Hours
Page 1 of 1

 
Jump to: 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


 

 

Powered by phpBB © 2001, 2005 phpBB Group
Design by Freestyle XL / Flowers Online.