SoftTree Technologies Technical Support Forums Register • Search • FAQ • Memberlist • Usergroups • Log in Upgrade for Log4J 2.16.0      SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite View previous topic View next topic Upgrade for Log4J 2.16.0 Author Message Don Macary Joined: 13 Aug 2003 Posts: 51 Upgrade for Log4J 2.16.0 Can you explain how to incorporate log4j 2.16 into the current version of 24x7? I had though version 6.1 would use the new jar but it seems it is still installing 2.15. Softtree's website recommends upgrading but not sure how that is done. Update, December 16, 2021: A new issue has been reported after Log4j2 version 2.15.0 release. In non default configurations version 2.15.0 might be vulnerable to Denial of Service attacks. We strongly recommend updating to 2.16.0 at the time of the release of this article. Fri Aug 26, 2022 3:16 pm SysOp Site Admin Joined: 26 Nov 2006 Posts: 7948 It installs not vulnerable and additionally protected version 1.17, it's not 2.x which was impacted by multiple discovered exploits. The referenced recommendation is for upgrade to version 6.1, and for patching versions 2.x of log4j if your other applications if you use. :-) Fri Aug 26, 2022 5:23 pm Don Macary Joined: 13 Aug 2003 Posts: 51 Should I be concerned with this file: log4j-1.2.15-minimized.jar? Sun Aug 28, 2022 8:22 pm SysOp Site Admin Joined: 26 Nov 2006 Posts: 7948 It's a good, safe version. You don't need to patch it. Mon Aug 29, 2022 12:29 am Don Macary Joined: 13 Aug 2003 Posts: 51 My customer has asked me to get more info about this. The new version 6.1 was installed and their Tenable scan is still highlighting the log4j.1.2.17.jar file as potentially vulnerable. Specifically they are concerned that the log4j version 1.17 is at End of Life (EOL) and can't / won't be patched in the future. Is version 6.1 really using that old version of log4j? Or maybe you are using the log4j bridge that allows use of the newer 2.x log4j ? What is softtree's position on this? thanks Fri Sep 09, 2022 11:05 am SysOp Site Admin Joined: 26 Nov 2006 Posts: 7948 Our official position is that version 1.2 is known not to be vulnerable to the reported issues. We maintain and support it and if necessary we will deliver any required fixes. We have also stripped it down to the code being used and removed all extra features. It's basically an integrated critical component. Replacing it with more recent new major versions is somewhat risky, they are not fully backward compatible, have not been fully tested. Also, considering their shorter life span and additions of many new features, they may actually have a higher risk level. Our recommendation is not to upgrade 1.2 to more recent versions, and leave it to us. Fri Sep 09, 2022 11:46 am Don Macary Joined: 13 Aug 2003 Posts: 51 thanks excellent reply. Fri Sep 09, 2022 1:15 pm Display posts from previous:  All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year  Oldest FirstNewest First     SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite All times are GMT - 4 Hours Page 1 of 1   Jump to:  Select a forum ----------------SQL AssistantDB Audit, DB Mail, DB Tools24x7 Scheduler, Event Server, Automation SuiteTips & Snippets Repository You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum     Powered by phpBB © 2001, 2005 phpBB Group Design by Freestyle XL / Flowers Online.