Are currently supported versions of Foglight affected by the Apache log 4j2 vulnerability (CVE-2021-45105)? (4311783)

Chat now with support

Live-Hilfe anfordern
Registrierung abschließen

Anmelden

Preisinformationen anfragen

Vertrieb kontaktieren

Zurück

Feedback übermittelt

Konnten Sie mithilfe dieses Artikels ein Problem lösen?

Bewertung auswählen

Titel

Are currently supported versions of Foglight affected by the Apache log 4j2 vulnerability (CVE-2021-45105)?
Beschreibung
Are currently supported versions of Foglight affected by the Apache log4j2 vulnerability CVE-2021-45015?
Ursache

Apache log4j 2.16 vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

From https://logging.apache.org/log4j/2.x/

This vulnerability affects only "When the logging configuration uses a non-default Pattern Layout with a Context Lookup ..."
Lösung
While the severity of this latest vulnerability is not as high as the previous vulnerabilities, for which Quest has supplied a fix to apply to Foglight to remove those vulnerabilities, Quest continues to monitor all documented log4j vulnerabilities.

Quest has confirmed that the latest CVE-2021-45105 vulnerability does not affect Foglight 6.0 customers.

The following components are not affected because these components use Log4J version 1.2.17.
- Foglight Management Server (all released version levels)
- Foglight Agent Manager (all released version levels)
- Foglight Evolve (all released version levels)
- Foglight for Virtualization, Enterprise Edition (FVE) (all versions)
- Foglight for Storage Management (FSM) (all versions)
- Foglight cartridges released below the 6.0.0 version
- These database cartridges are not affected: MySQL, PostgreSQL, MongoDB, Cassandra. Redshift
Although the Foglight 6.0.0 cartridges listed below with build IDs beginning with 6.0.0.10-2021121*-* include the log4j 2.16 version, Foglight is not affected by this issue because it is not using a Context Lookup in the code.
- Database cartridges: DB2, Oracle, Azure SQL, SQL Server, Sybase, MySQL PI
- Evolve cartridges: Active Directory (AD), Exchange, and Office365
The presence however of the Log4j 2.16 file in the Foglight Database cartridge folders may still be reported by security scan tools.

STATUS

Log4j 2.16 has been replaced with the Log4j 2.17.1 version in the 6.0.1.10 database cartridges available for download from here:
https://support.quest.com/foglight-for-databases/6.0.0/download-new-releases

Enhancement ID FOG-2989 has been logged to update the log4j version in Foglight Evolve to 2.17. This has been Included in version 6.1.0.

Enhancement ID FOG-3020 has been logged to update the log4j version in Foglight and Foglight for Databases to 2.17. This has been Included in version 6.1.0.
Fehler-ID

FOG-3020

Feedback übermittelt

Konnten Sie mithilfe dieses Artikels ein Problem lösen?

Bewertung auswählen

Request a KB Article

Empfohlener Inhalt

Produkt(e):: Foglight for Databases
7.1.0, 6.3.0, 6.1.0, 6.0.0, 5.9.7, 5.9.5, 5.9.4, 5.9.3, 5.9.2; Foglight Evolve
7.1.0, 6.3.0, 6.1.0, 6.0.0, 9.3, 9.2, 9.1, 9.0; Foglight for Virtualization Enterprise Edition
8.9.3, 8.9.2, 8.9.1, 8.9, 8.8.5, 8.8, 8.7.5, 8.7, 8.6, 8.5.5; Foglight
7.1.0, 6.3.0, 6.1.0, 6.0.0, 5.9.8, 5.9.7, 5.9.5, 5.9.4, 5.9.3, 5.9.2, 5.9.1, 5.7.5, 5.7.1

Thema/Themen:: Troubleshooting

Artikelhistorie:: Erstellt am: 12/20/2021
Letzte Aktualisierung am: 1/16/2024

Alle Artikel durchsuchen

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

Are currently supported versions of Foglight affected by the Apache log 4j2 vulnerability (CVE-2021-45105)? (4311783)

Titel

Beschreibung

Ursache

Lösung

Fehler-ID

Leave a Comment

Bitte wählen Sie Ihr Produkt aus: