CVE-2019-17571 in log4j versions 1.2 up to 1.2.17 should not apply to Foglight as Foglight does not use the SocketServer class. Hence, while the files may exist in Foglight libraries, the vulnerability is technically not possible with Foglight.
CVE-2021-4104 in Log4j 1.x should not apply to Foglight. This is because it requires the use of the JMSAppender which is not used in Foglight. It also requires that the attackers update the Log4j configuration, which means that they must have write access to the file system on which the FMS is installed. This would already constitute a compromised system.
CVE-2022-23307, CVE-2022-23305 and CVE-2022-23302 vulnerabilities in Log4j 1.x are also mitigated in Foglight because it does not use the Apache Chainsaw, JDBCAppender or JMSSink components featured in them.
For users that with a directive to delete any log4j files they find in their applications, this is not recommended as it can cause the Foglight Management Server and Foglight Agent Manager components not to start up successfully. This includes the 1.2.x versions in Foglight 5.9.x.
The next phase of Quest's response to study more closely and consider an action plan for all areas of Foglight prior to 6.0 (5.9.x) that use log4j 1.x has already begun (again, Foglight only uses 1.2.17).
© ALL RIGHTS RESERVED. Feedback 使用条款 隐私