Update on The Recent Apache Log4j2 Vulnerability
(Impact on ManageEngine on-premises products)
A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. Find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html
ManageEngine products bundled with vulnerable Log4j2:
||Jar version in bundled dependency
|M365 Manager Plus
|Exchange Reporter Plus
|Cloud Security Plus
Please note that ManageEngine has not identified any exploitable cases due to Log4j2 in the above products as they do not use Log4j directly for logging. But, some of the third parties they use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below
- ADManager Plus
- ADAudit Plus
- DataSecurity Plus
- EventLog Analyzer
- M365 Manager Plus
- RecoveryManager Plus
- Exchange Reporter Plus
- Log360 UEBA
- Cloud Security Plus
Other ManageEngine products that are not listed above are not impacted by this vulnerability.
note: we'll update this as soon as possible when ManageEngine provides information.
For ADManager Plus
Please find below the updated precautionary measures against the log4j vulnerability, from ManageEngine.
Stop ADManager Plus
Delete the following files from ADManager Plus\ES\lib after taking backup
Download the zip from the below link and extract the following files
Place the extracted files in ADManager Plus\ES\lib
Start the ADManager Plus
Note: The old mitigation measures are discredited and the new version of Log4j jar was released by apache.
Questions? Please contact us.