Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
1
Replies

CSCwe51086 - FND 4.9 and lower versions using Log4j1.x

wireman84
Level 1
Level 1

‎03-01-2023 11:33 AM

A bit more information not shared in visible part of bug...sneaking in here:
------------------
All FND versions from 4.9 and lower are using Log4j1.x

According to Apache's Website: https://logging.apache.org/log4j/1.2/ this software is End-Of-Life. In addition, there are 6 vulnerabilities listed as of today 28th February 2023 and Apache urges to upgrade to Log4j 2:
CVE-2019-17571
CVE-2020-9488
CVE-2021-4104
CVE-2022-23302
CVE-2022-23305
CVE-2022-23307

Cisco engineering confirms that the components used in the above vulnerabilities are not affecting FND services and security operations. Vulnerable components of log4j 1.4 are not impacting FND as it is not used by FND code. This has been verified by screening FND code, as well as by testing FND after removing those components from log4j jar

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents