ISN 2022-19: Log4j 1.x Remainder in UMS

Updated 17 October 2022 (UMS version 6.10.130 available)

First published 12 September 2022

CVSS 3.1: 3.4 (Low)

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L

Summary

Universal Management Suite (UMS) has been found to still contain an obsolete and vulnerable Log4j version. Affected products:

• UMS on Windows with High Availability (HA) option installed
• UMS on Linux, default installation

Details

Although IGEL has replaced most of Log4j in UMS with a different logging solution, UMS up to version 6.10.120 still contains an instance of Log4j version 1.x. It is located at messageservice/lib/optional/log4j-1.2.14.jar in the UMS installation directory.

This version is unmaintained, and the application’s confidentiality and availability could have a low impact due to the vulnerabilities associated with version 1.x.

UMS contains further files with log4j in their filenames, such as log4j-api-2.17.1.jar. These are no indicator of vulnerable Log4j versions being present. Rather, they are API bridges used by IGEL to replace Log4j with a different logging solution. They pose no risk.

Do not delete files from IGEL UMS installations. This will break the application.

Update Instructions

• Update to UMS version 6.10.130

References

• Apache Software Foundation Blog, “Apache™ Logging Services™ Project announces Log4j™ 1 end-of-life; recommends upgrade to Log4j 2”: https://news.apache.org/foundation/entry/apache_logging_services_project_announces