CVE-2019-17571 in log4j versions 1.2 up to 1.2.17 should not apply to Foglight as Foglight does not use the SocketServer class. Hence, while the files may exist in Foglight libraries, the vulnerability is technically not possible with Foglight.
CVE-2021-4104 in Log4j 1.x should not apply to Foglight. This is because it requires the use of the JMSAppender which is not used in Foglight. It also requires that the attackers update the Log4j configuration, which means that they must have write access to the file system on which the FMS is installed. This would already constitute a compromised system.
CVE-2022-23307, CVE-2022-23305 and CVE-2022-23302 vulnerabilities in Log4j 1.x are also mitigated in Foglight because it does not use the Apache Chainsaw, JDBCAppender or JMSSink components featured in them.
For users that with a directive to delete any log4j files they find in their applications, this is not recommended as it can cause the Foglight Management Server and Foglight Agent Manager components not to start up successfully. This includes the 1.2.x versions in Foglight 5.9.x.
STATUS
For the Foglight 6.1.0 release, the log4j libraries were upgraded to 2.17.1 across all core components (FMS, FglAM) and cartridges.
