Updated 17 October 2022 (UMS version 6.10.130 available)

First published 12 September 2022

CVSS 3.1: 3.4 (Low)



Universal Management Suite (UMS) has been found to still contain an obsolete and vulnerable Log4j version. Affected products:

  • UMS on Windows with High Availability (HA) option installed
  • UMS on Linux, default installation


Although IGEL has replaced most of Log4j in UMS with a different logging solution, UMS up to version 6.10.120 still contains an instance of Log4j version 1.x. It is located at messageservice/lib/optional/log4j-1.2.14.jar in the UMS installation directory.

This version is unmaintained, and the application’s confidentiality and availability could have a low impact due to the vulnerabilities associated with version 1.x.

UMS contains further files with log4j in their filenames, such as log4j-api-2.17.1.jar. These are no indicator of vulnerable Log4j versions being present. Rather, they are API bridges used by IGEL to replace Log4j with a different logging solution. They pose no risk.

Do not delete files from IGEL UMS installations. This will break the application.

Update Instructions

  • Update to UMS version 6.10.130