Expand my Community achievements bar.

Tenable scan on AEM Forms JBoss 6.5.12 on WIN2019 log4j-1.2.14

Avatar

Level 2

We installed AEM Forms JBoss 6.5.12 on WIN SERVER 2019.  A recently Tenable nessus scan showed some log4j CVEs specifically v.1.2.14 from the following locations:

 

<plugin_output>

  Path              : M:\Temp\adobejb_server1\ArchiveStore\40\log4j-1.2.14.jar

  Installed version : 1.2.14

 

  Path              : M:\Adobe\Adobe_Experience_Manager_Forms\sdk\client-libs\thirdparty\log4j-1.2.14.jar

  Installed version : 1.2.14

 

  Path              : M:\Adobe\Adobe_Experience_Manager_Forms\deploy\adobe-edcserver-jboss.ear

  Installed version : 1.2.14

</plugin_output>

 

The solution from tenable is to upgrade this to latest 2.17.2.  

 

This v.1.2.14 version came with the installed package along with v.2.x.  After talking to Adobe tech support, they say there's no fix/patch to remove v.1.x

 

My questions are:

 

1.  how do i fix this?

2.  can i just delete/remove these JAR and EAR files?  do they have any dependencies that will break something?

 

Thank you for any assistance.

 

 

2 Replies

Avatar

Employee Advisor

@dtran2022 

As informed already, the 0-day vulnerability (CVE-2021-44228) was raised for log4j-core so there is no fix in 6.5 for log4j and log4j-api. Also, we understand that log4j 1.x library is quite old and we already have an enhancement request raised for updating the library.

It's not recommended to remove this library as few form modules have a dependency on the same.

Could you share the scan report/any reported CVEs on the support ticket (and DM the ticket#)? We will try to expedite the investigation. The business impact details will also help.