pitstop.manageengine.com Open in urlscan Pro
136.143.190.74 Public Scan

Back to summary

URL:
https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengin...
Submission: On January 18 via manual (January 18th 2022, 2:03:01 pm UTC) from US — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

Welcome to manageengine Portal

Skip to Content Skip to Menu Skip to Footer

?Unknown
ManageEngine | Community and Support
* Home
* My Requests
* Help Center
* Community
* * Sign In
* Sign Up
* Font Size
-+
Layout

Full Width

* Knowledge Base
* Community

TICKETS

KEEP TRACK OF YOUR TICKETS AND MONITOR YOUR TEAM'S DATA.

KNOWLEDGE BASE

BROWSE THE KNOWLEDGE BASE AND FIND SOLUTIONS.

JOIN THE MANAGEENGINE COMMUNITY

* Community
* ManageEngine
* Security

UPDATE ON THE RECENT APACHE LOG4J2 VULNERABILITY - IMPACT ON MANAGEENGINE
ON-PREMISES PRODUCTS

* Priyanka
Follow
* Priyanka
* Discussion
* 1 month ago

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of
the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The
vulnerability impacts Apache Log4j2 versions below 2.15.0. Find the details of
this vulnerability documented here:
https://logging.apache.org/log4j/2.x/security.html

ManageEngine products bundled with vulnerable Log4j2 (as of 13th December,
2021):

Product name

Jar version in bundled dependency

ADManager Plus

V2.11.1

ADAudit Plus

V2.10.0

DataSecurity Plus

V2.10.0

EventLog Analyzer

V2.9.1

M365 Manager Plus

V2.11.1

RecoveryManager Plus

V2.11.1

Exchange Reporter Plus

V2.11.1

Log360

V2.9.1

Log360 UEBA

V2.11.1

Cloud Security Plus

V2.9.1

M365 Security Plus

V2.11.1

Analytics Plus

V2.7

Please note that we have not identified any exploitable cases due to Log4j2 in
the above products as we do not use Log4j directly for logging. But, some of the
third parties we use bundle Log4j2 as a dependency. So as an additional safety
measure, customers are instructed to apply the mitigation steps listed below:

1. ADManager Plus
2. ADAudit Plus
3. DataSecurity Plus
4. EventLog Analyzer
5. M365 Manager Plus

6. M365 Security Plus

7. RecoveryManager Plus
8. Exchange Reporter Plus
9. Log360

10. Log360 UEBA

11. Cloud Security Plus

12. Analytics Plus

Other ManageEngine products that are not listed above are not impacted by this
vulnerability.

We are continuing to analyze the issue and will update this advisory if any new
information becomes available.

For any additional details or assistance, please contact
security@manageengine.com

5 users find this useful.

32 REPLIES

Reply
20 more
CB
CB
Craig B
Follow
* Craig B
* 1 month ago

We are finding vulnerable log4j in the java that is installed with AdSelfService
portal. Specifically java SE runtime 8 update 162. Wasn't sure if we could
remove/update that without breaking the underlying ADselfservice

CB
CB
Craig B
Follow
* Craig B
* 1 month ago

To update my post above I see the same issue with java installed by AdAudit Plus
and OpManager both have versions of java installed in ManageEngine\"name of
product"\jre\bin that shows old version of log4j so my same question applies.
How do you go about patching or removing java from these products

CB
CB
Craig B
Follow
* Craig B
* 1 month ago

This has nothing to do with the jar files in LIB, the report we are getting from
our AV product is very specific to the java that must be installed with it.
Listed under installation folder\jre\bin

RW
RW
Rick Wegner
Follow
* Rick Wegner
* 1 month ago

Is there an update on Log4j 1.x Vulnerability (CVE-2021-4104) considering this
CVE potentially affects products not listed like ServiceDesk Plus.

Do the Log4j 1.2 products in ServiceDesk Plus have JMSAppender configured?

From https://www.kb.cert.org/vuls/id/930724
"To mitigate: audit your logging configuration to ensure it has no JMSAppender
configured. Log4j 1.x configurations without JMSAppender are not impacted by
this vulnerability. "

PA
PA
Patrik
Follow
* Patrik
* 30 days ago

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
CVE-2021-4104 log4j version 1.2.x is vulnerable.
Its used in both Password Manager and ADselfservice to my knowledge. Any advice
as of yet?

BR
BR
Brian
Follow
* Brian
* 29 days ago

found this on an up to date Desktop Central install:
LICENSE Log4j.txt
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
And:
C:\ManageEngine\DesktopCentral_Server\Patch\ManageEngine_Desktop_Central-10.1.0-SP-2127.20\SERVER\lib\log4j-1.2.15.jar

Akshaya M
Follow
* Akshaya M
* 29 days ago

Hello Brian,

Desktop Central product is not affected by the recent apache RCE, since the
log4j 1.x version library is not vulnerable to the CVE-2021-44228. We've
mentioned all the affected ManageEngine products above in the post.

Regarding the jar located in Patch directory,
1. Before installation of PPM, as per our flow the existing data will be backed
up to the location <Installation_Folder>\Patch\
2. This backup will only be used to restore the setup in-case of any failure
while installing the PPM.
3. After successful installation of the PPM, the Patch folder will be cleaned by
routine monthly scheduler task and the jar files present inside this folder will
not be used anywhere in the class-path.

Thanks.

RO
RO
ross
Follow
* ross
* 27 days ago

dear ME people,

in this thread and others i've seen you all note that "since the log4j 1.x
version library is not vulnerable to the CVE-2021-44228." this is, of course,
true.

but i think many of us are just learning that we have log4j 1.x as integral
parts of our ManageEngine products and we'd like to know what/when you'll be
doing something about it. it went EOL in august of 2015, so it's been a full 6
years since anyone paid attention to vulnerabilities, and there appear to be
many.

RO
RO
ross
Follow
* ross
* 27 days ago

there is a patch available for ADSelfService Plus that removes the log4j
dependency.

https://www.manageengine.com/products/self-service-password/service-pack.html

the most recent (6119).

after the installation, the log4j-.1.x files are moved to 'patch' directories -
like \ManageEngine\ADSelfService
Plus\Patch\ManageEngine_ADSelfService_Plus-5.5.0-SP-9.9.0\SERVER\lib - at which
point, they can be deleted. see the notes above for deletion.

SA
SA
Sam
Follow
* Sam
* 25 days ago

Hi ME people,

Appended to mr. Ross's post, I'd just like to add that we also got no response
for an update on Log4j 1.x Vulnerability (CVE-2021-4104). You all mention
CVE-2021-44228, but not 4104. Much appreciated.

JA
JA
jacob aguinaga
Follow
* jacob aguinaga
* 21 days ago

Is there any update on these? I am still seeing a handful of ME products with
vulnerable outdated versions still being marked critical with multiple
vulnerability scanners.

GS
GS
gsezen
Follow
* gsezen
* 20 days ago

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

CVE-2021-44228 Detail
Current Description
Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features
used in configuration, log messages, and parameters do not protect against
attacker controlled LDAP and other JNDI related endpoints. An attacker who can
control log messages or log message parameters can execute arbitrary code loaded
from LDAP servers when message lookup substitution is enabled. From log4j
2.15.0, this behavior has been disabled by default. From version 2.16.0, this
functionality has been completely removed. Note that this vulnerability is
specific to log4j-core and does not affect log4net, log4cxx, or other Apache
Logging Services projects.

QUICK INFO
CVE Dictionary Entry:
CVE-2021-44228
NVD Published Date:
12/10/2021
NVD Last Modified:
12/28/2021
Source:
Apache Software Foundation

pitstop.manageengine.com Open in urlscan Pro 136.143.190.74 Public Scan

Form analysis 0 forms found in the DOM

Text Content

pitstop.manageengine.com Open in urlscan Pro
136.143.190.74 Public Scan

Form analysis
0 forms found in the DOM