Return
-
Title
The vulnerability scanner detects in the ITSS installation path that the version of Log4J is vulnerable. -
Description
Even though ITSS is not affected by the CVE-2021-44228 Log4j vulnerability as explained in the following KB article:https://support.quest.com/kb/335905The vulnerability scanner picked up other vulnerability IDs other than CVE-2021-44228. Instructions on how to remove the log4j 1.2 jar file from the server are needed to mitigate the unsupported version issue. -
Cause
IT Search currently utilizes log4j indirectly through Elastic Search. In the current configuration, the log4j DLL alongside Elastic Search is not using any of the vulnerable features (JMS Appender, for example). -
Resolution
The product team is aware of the vulnerability and has taken actions to eliminate it in the next release of ITSS version 11.5 - Elastic Search (and thus log4j) will be removed entirely. They have logged Enhancement Request ID is 352161 to keep track of it, please note that there is currently no ETA for the 11.5 release. -
Defect ID
352161 -
Additional Information
Enhancement Request ID: 352161 https://support.quest.com/kb/335905