Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows One-X Portal Log4J Patch 4

Status
Not open for further replies.

JoeNewton

Technical User
Jan 14, 2012
56
GB
Hi Guys,

We have a customer on R11 with a Windows Server installation of One-X Portal. We have upgraded them to the latest R11 version, and run the Log4j patch, but when they do a search of the C drive for Log4j they still see version 2.12.1 in the One-X directory, which is one of the vulnerable versions. Do you know what this patch is designed to do? Should it have been upgraded to a none affected version (2.17.0 I believe), or have they mitigated the vulnerability in some other way?

I need to reassure the customer that the patch has resolved the vulnerability.

Thanks!

Joe

Joe Newton
 
Hello JoeNewton,

Refer to page 3 of the release notes of the patch zip file:

To close both vulnerabilities, as per the mitigation steps (Log4j – Apache Log4j Security Vulnerabilities ) provided by the Apache, JndiLookup class is removed from the log4j V2.12.1 libraries used in the applications.

Hope this info helps.

Z
 
And that is not enough, as there is a third vulnerability found. Avaya should provide an update to the 2.17 version of log4J.

BAZINGA!

I'm not insane, my mother had me tested!
 
Thanks both. Does the new vulnerability have an affect even with JndiLookup removed? I thought it just extended the affected versions up to 2.16? Either way, hopefully that line from the release notes will satisfy the customer until a new patch is released.

Joe

Joe Newton
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top