Get Live Help
Apache log4j 2.16 vulnerability
While the severity of this latest vulnerability is not as high as the previous vulnerabilities, for which Quest has supplied a fix to apply to Foglight to remove those vulnerabilities, Quest continues to monitor all documented log4j vulnerabilities.
Quest has confirmed that the latest CVE-2021-45105 vulnerability does not affect Foglight 6.0 customers.
The following components are not affected because these components use Log4J version 1.2.17.
Although the Foglight 6.0.0 cartridges listed below with build IDs beginning with 184.108.40.206-2021121*-* include the log4j 2.16 version, Foglight is not affected by this issue because it is not using a Context Lookup in the code.
The presence however of the Log4j 2.16 file in the Foglight Database cartridge folders may still be reported by security scan tools.
Log4j 2.16 has been replaced with the Log4j 2.17.1 version in the 220.127.116.11 database cartridges available for download from here:
Enhancement ID FOG-2989 has been logged to update the log4j version in Foglight Evolve to 2.17.
Enhancement ID FOG-3020 has been logged to update the log4j version in Foglight and Foglight for Databases to 2.17. These are planned for an upcoming release of Foglight, Foglight for Databases and Foglight Evolve.