Level 2

Tenable scan on AEM Forms JBoss 6.5.12 on WIN2019 log4j-1.2.14

Forum|Forum|3 years ago
June 8, 2022
1 reply
655 views

We installed AEM Forms JBoss 6.5.12 on WIN SERVER 2019. A recently Tenable nessus scan showed some log4j CVEs specifically v.1.2.14 from the following locations:

<plugin_output>

Path : M:\Temp\adobejb_server1\ArchiveStore\40\log4j-1.2.14.jar

Installed version : 1.2.14

Path : M:\Adobe\Adobe_Experience_Manager_Forms\sdk\client-libs\thirdparty\log4j-1.2.14.jar

Installed version : 1.2.14

Path : M:\Adobe\Adobe_Experience_Manager_Forms\deploy\adobe-edcserver-jboss.ear

Installed version : 1.2.14

</plugin_output>

The solution from tenable is to upgrade this to latest 2.17.2.

This v.1.2.14 version came with the installed package along with v.2.x. After talking to Adobe tech support, they say there's no fix/patch to remove v.1.x

My questions are:

1. how do i fix this?

2. can i just delete/remove these JAR and EAR files? do they have any dependencies that will break something?

Thank you for any assistance.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Pulkit_Jain_

Adobe Employee

@dtran2022

As informed already, the 0-day vulnerability (CVE-2021-44228) was raised for log4j-core so there is no fix in 6.5 for log4j and log4j-api. Also, we understand that log4j 1.x library is quite old and we already have an enhancement request raised for updating the library.

It's not recommended to remove this library as few form modules have a dependency on the same.

Could you share the scan report/any reported CVEs on the support ticket (and DM the ticket#)? We will try to expedite the investigation. The business impact details will also help.

D

dtran2022Author

Level 2

@pulkit_jain_ i've sent you a private message. thanks

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded