Hi,
are there any news on this topic?
We run the version 7.3(E0705P12). When i do a Vulnerability scan on that system, it looks clean for the problem with the Log4j.
Now, i did a update on a testsystem to the newest version 7.3(E0706H07). Now, the Vulnerability scanner is complaining that there is the unsupported version 1.2.17 found of the Apache Log4j.
The Path to the file: C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar
The version 1.2.17 reached its end of life prior to 2016 and i have a Risk Factor from CVSS v3.0 Base Score from 10.0 on that System.
So the Audit fails on that system.
Are there any plans to implement a supported Version that is not Vulnerability??
Many thanks
Markus
------------------------------
Markus Huether
------------------------------
Original Message:
Sent: Jan 25, 2022 06:13 AM
From: sebastian cerazy
Subject: IMC & Log4J Critical Vulnerability
Mine has the date of todays update (but I done both at the same time)
MD5: FB87BD84E336CA3DC6B6C108F51BF25E
SHA-1: 4F90475694C41965C9A0C8BAC53EA5C690DEA446
SHA-256: A2234476879B9E76F99A561F3D9DA243684EDB54B0B44EF7C0CF7A1A3D1E6776
Inside the dates of everything is 2012-05-06
------------------------------
spgsitsupport
Original Message:
Sent: Jan 21, 2022 10:19 AM
From: Jeff Fulkerson
Subject: IMC & Log4J Critical Vulnerability
I have upgraded our IMC server from E0706 to E0706P06 and then to E0706H07. However, our internal scans are still showing that the IMC server is still vulnerable to the log4j vulnerability because of this file on the server:
C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar
The modification date and time of the above file was when I upgraded to E0706P06. It does not appear that it was touched during the E0706H07 patch. I am curious if this file is still being used, or if it can be deleted. Does this file still exist on your system after the patches were applied?
------------------------------
Jeff Fulkerson
Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability
Hello,
Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?
https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/
Attached file is a screenshot of log4j directories used by iMC.
Many thanks in advance !
Jerome.
------------------------------
Jerome BAILLIART
------------------------------