Download page ISN 2022-19: Log4j 1.x Remainder in UMS.
ISN 2022-19: Log4j 1.x Remainder in UMS
Updated 17 October 2022 (UMS version 6.10.130 available)
First published 12 September 2022
CVSS 3.1: 3.4 (Low)
Universal Management Suite (UMS) has been found to still contain an obsolete and vulnerable Log4j version. Affected products:
- UMS on Windows with High Availability (HA) option installed
- UMS on Linux, default installation
Although IGEL has replaced most of Log4j in UMS with a different logging solution, UMS up to version 6.10.120 still contains an instance of Log4j version 1.x. It is located at
messageservice/lib/optional/log4j-1.2.14.jar in the UMS installation directory.
This version is unmaintained, and the application’s confidentiality and availability could have a low impact due to the vulnerabilities associated with version 1.x.
UMS contains further files with log4j in their filenames, such as
log4j-api-2.17.1.jar. These are no indicator of vulnerable Log4j versions being present. Rather, they are API bridges used by IGEL to replace Log4j with a different logging solution. They pose no risk.
Do not delete files from IGEL UMS installations. This will break the application.
- Update to UMS version 6.10.130
- Apache Software Foundation Blog, “Apache™ Logging Services™ Project announces Log4j™ 1 end-of-life; recommends upgrade to Log4j 2”: https://news.apache.org/foundation/entry/apache_logging_services_project_announces