Log4j2 files missing from Foglight Management Server and installer (4225835)

UI issues in the Foglight Management Server after upgrading cartridges to the 5.9.7.23 or 5.9.7.24 version.

Corresponding Log4j 2.17.1 files are missing from the Foglight Management Server.

RESOLUTION 1  * Recommended *

Upgrade the Foglight Management Server, Foglight Agent Managers, and cartridges to the 6.1.0 or higher releases

RESOLUTION 2

1. Download the replacement DB_Global_View_UI-.5_9_7_24.car file attached to this Knowledgebase article (the user may need to be logged in to see the attachment)
2. Install the new cartridge into the Cartridge Inventory of the FMS.

Note: A previous version of this Knowledgebase article provided two Log4j files to be added to the FMS to resolved UI issues. These recommendation has been replaced with this new Global view cartridge.

1. Shut down the Foglight Management Server (FMS)
2. Delete the log4j-core.jar and log4j-api.jar files from the \quest\foglight\lib folder
3. Restart the FMS server

Does this issue affect any other cartridge versions?

R&D has confirmed that the issues were specific to the 5.9.7.23 and 5.9.7.24 cartridges installed in any FMS version below 6.1. 

What about the log4j.jar file already in the FMS lib folder?

R&D has confirmed that users should also leave the existing log4j.jar file on the FMS. 

Is there an impact on the Log4j vulnerability issue identified earlier?

This should not have any impact on the Log4j vulnerability issue.

Did the upgrade to the 5.9.7.23 or 5.9.7.24 cartridges introduce a security violation?

No security violation introduced with the cartridge. These cartridges replaced the older log4j versions with log4j 2.17.1. However this newer Log4j 2.17.1 is the cartridges requires a matching Log4j 2.17.1 jar files to be included on the FMS server to work.  What is suggested in Resolution 2 is to add the newer Log4j files with the older Log4j files already on the FMS. The FMS 5.9.8 (and 5.9.7, etc.) didn’t receive any Log4j update, these all continued to use the older Log4j files. Only the database cartridges were updated. Quest's primary recommendation is to upgrade all components to 6.1.0 and higher. 

Do the 5.9.7.22 cartridges have a security violation?

The Log4j CVE described in Knowledgebase article 336091 should not apply to 5.9.7.22 (and lower) either because the cartridges do not use the Java SocketServer class. The primary concern was that the database cartridges simply had the Log4j files present within the database cartridges. This prompted requests to have the 5.9.7.23 cartridges be repacked with the newer Log4j because the version numbers in the older Log4j files were being flagged by filename scanning software application analyzing Foglight Agent Manager servers.