Log4J 1.2.17 on UAG updated to 2111.2

frahlick · ‎02-11-2022

Hello All!

My organization recently updated our UAG to 2111.2 in order to not be vulnerable to the recent CVEs. Unfortunately our vulnerability scanner still detects that version 1.2.17 is installed in the filepath /opt/vmware/gateway/lib/admin-21.11.2.0-exec.jar, leaving us vulnerable to CVE-2021-4104. The JMSAppender class is found, and from my understanding this means we are still vulnerable.

Our leadership has determined that no devices with vulnerable versions can remain online until updated. I'm wondering if anyone knows if there's a way to update this .jar file as part of an SDK update, or manually? I'm not overly familiar with VMWare instances (I'm on the compliance side) and am just trying to help the admin out and keep their device online. Forgive me if this is a dumb or played out question

Thanks in advance!

sjesse · ‎02-11-2022

You really shouldn't mess with anything in a UAG, of you haven't already look at deploying UAGs with powershell so if and when you need to upgrade its easy. Impact should be minimal if you have 2 and put one in quiesce mode and let it drain before upgrading.

All

Log4J 1.2.17 on UAG updated to 2111.2

CVE-2021-4104

log4j