On December 9, many of us were made aware of a vulnerability associated with the Apache log4j utility. Foglight for Databases and Foglight Evolve 6.0.0 are affected as described below.
Log4j is a common open source logging utility, and Foglight prior to version 6.0.0 does not use the affected version of log4j.
How does this affect me?
If you have deployed Foglight 6.0.0 with any of these cartridges, a fix is being tested that is expected to be available soon:
The fix is being tested now as top priority in R&D/QA to upgrade those affected cartridges to use the latest version of log4j v2 which is not affected. Please note that any Foglight release prior to version 6.0.0 is not affected.
If you would like to continue to use Foglight 6.0.0 before the fix is available, please apply the workaround detailed in Knowledgebase article 335908 that removes the vulnerabilities from all Foglight 6.0.0 components, including the Foglight Management Server, Foglight Agent Manager, and all cartridges
Foglight Evolve and Foglight for Databases installers will be reposted. Once the fix is available we will send out an update notification.
Please know that the product team, R&D, and the Quest security team are doing all we can to assess and address vulnerabilities associated with the Apache log utility log4j. There is no higher priority at this time.
If you need assistance after attempting the items above, contact Quest Technical Support.
We hope this answers your questions about this issue. If you have any additional questions, please reach out to Tim Fritz, Foglight product manager, at firstname.lastname@example.org