About us

Optrics is an authorized ManageEngine Partner with expertise in customized network solutions.

read more

Optrics Call Answer Guarantee
Toll Free: 1-877-386-3763
Direct: 1-780-430-6240

If you have any questions, call us during regular business hours, and you will always speak with a person.
Monday to Friday, 8am - 5pm MST

Quick Quote
Update on The Recent Apache Log4j2 Vulnerability here.

Update on The Recent Apache Log4j2 Vulnerability

Home / Apache Log4j2

Update on The Recent Apache Log4j2 Vulnerability

(Impact on ManageEngine on-premises products)

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. Find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html

ManageEngine products bundled with vulnerable Log4j2:

Product name Jar version in bundled dependency
ADManager Plus V2.11.1
ADAudit Plus V2.10.0
DataSecurity Plus V2.10.0
EventLog Analyzer V2.9.1
M365 Manager Plus V2.11.1
RecoveryManager Plus V2.11.1
Exchange Reporter Plus V2.11.1
Log360 V2.9.1
Log360 UEBA V2.11.1
Cloud Security Plus V2.9.1

Please note that ManageEngine has not identified any exploitable cases due to Log4j2 in the above products as they do not use Log4j directly for logging. But, some of the third parties they use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below

  1. ADManager Plus
  2. ADAudit Plus 
  3. DataSecurity Plus 
  4. EventLog Analyzer 
  5. M365 Manager Plus 
  6. RecoveryManager Plus
  7. Exchange Reporter Plus 
  8. Log360
  9. Log360 UEBA
  10. Cloud Security Plus

Other ManageEngine products that are not listed above are not impacted by this vulnerability.
note: we'll update this as soon as possible when ManageEngine provides information.

For ADManager Plus

Please find below the updated precautionary measures against the log4j vulnerability, from ManageEngine.

Stop ADManager Plus

Delete the following files from ADManager Plus\ES\lib after taking backup

  • log4j-1.2-api-2.11.1.jar
  • log4j-api-2.11.1.jar
  • log4j-core-2.11.1.jar

Download the zip from the below link and extract the following files

https://downloads.zohocorp.com/dnd/ADManager_Plus/hX2WrCzyP5wZ0I2/log4j-2.17.zip

  • log4j-1.2-api-2.16.0.jar
  • log4j-api-2.16.0.jar
  • log4j-core-2.16.0.jar

Place the extracted files in ADManager Plus\ES\lib

Start the ADManager Plus

Note: The old mitigation measures are discredited and the new version of Log4j jar was released by apache.

Questions? Please contact us.