Background
A vulnerability identified as CVE-2021-44228 and CVE-2021-45105 has been reported in the Apache Log4j library.
Resolution
The GoldSim product itself is not vulnerable to log4j as this module is not shipped or used by GoldSim software. The license server used to serve GoldSim Network licenses "FlexNet Publisher License Server" (FNPLS) is also not vulnerable to the log4j vulnerability because FNP does not use any JNDI data source. We have heard some reports from license server administrators that a possible vulnerability was flagged by their server scanners. The affected files triggering this warning are only used as examples that ship with the lmadmin installer but are not actually used.
Workaround
If you are hosting a GoldSim Network license using Flexera's FlexNet Publisher (FNP) License Server and want to avoid seeing possible security warnings related to the log4j example files installed with lmadmin, follow the steps described below. FNP License Server (v11.18.3.0 or older), a third-party product required only when hosting GoldSim Network licenses, includes components affected by the vulnerability.
- If you haven't done so already, download the latest version of the FlexNet Publisher License Server (lmadmin 11.19.1.0).
- If you already have the latest version installed, skip to step 5.
- Uninstall the Network License Server.
- Install and Configure a Network License.
- Delete the following 3 files from this location: C:\Program Files (x86)\FlexNet Publisher License Server Manager\examples\alerter\lib
- log4j-1.2-api-2.13.3.jar
- log4j-api-2.13.3.jar
- log4j-core-2.13.3.jar
- Download the apache-log4j-2.18.0 zip file from Apache Downloads
- Unzip and move the following files to the same folder specified in step 4:
- log4j-1.2-api-2.18.0.jar
- log4j-api-2.18.0.jar
- log4j-core-2.18.0.jar
Because the files shown above are only used as examples, these steps will not affect any operations of the License Server used to serve GoldSim licenses. If you experience any issues or have further questions about the steps above, please let us know by commenting below this article.
Comments
0 comments
Please sign in to leave a comment.