I am seeing an instance of log4j on my root server under the SA PlanEngine folder. Has there been any guidance on updating SA? The last update was in Sept if I remember correct. Did not find anything for SA on the Known BF Issues link.
\BigFix Enterprise\BES Server\Applications\PlanEngine\lib\log4j-api-2.4.jar
The vulnerabilities appear to be only in log4j-core-X.jar, not in log4j-api-X. We don’t include log4j-core in Server Automation.
We are planning a version refresh in a future Server Automation release, but SA is not vulnerable to the CVEs disclosed over the last couple of weeks.
Ok. We are getting questioned on Log4J-anything now and trying to explain the difference to management is fun.
Thanks Jason
Happy to help. If it’s useful at all you can find and reference this statement on the vulnerabilities from the Apache page at Log4j –
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Well, as a matter of fact… Content in the BigFix Server Automation site has been modified 2021-12-23
Ask and ye shall receive. Perfect, thanks