CVE-2021-44228 & CVE-2021-45105 : Log4j vulnerability impact on FlexNet Publisher

Background

A vulnerability identified as CVE-2021-44228 and CVE-2021-45105 has been reported in the Apache Log4j library. 

We have heard some reports from license server administrators that a possible vulnerability was flagged by their server scanners. The affected files triggering this warning are only used as examples that ship with the lmadmin installer but are not actually used. 

Resolution

The GoldSim product itself is not vulnerable to log4j as this module is not shipped or used by GoldSim software. The license server used to serve GoldSim Network licenses "FlexNet Publisher License Server" (FNPLS) is also not vulnerable to the log4j vulnerability because FNP does not use any JNDI data source. 

To address any flagged vulnerabilities related to log4j example files installed with lmadmin, follow these steps:

1. If you haven't done so already, download the latest version of the FlexNet Publisher License Server from here: GoldSim Network Downloads.
2. Delete the following directory: C:\Program Files\FlexNet Publisher License Server Manager\examples\alerter

If you experience any issues or have further questions about the steps above, please let us know by commenting below this article.