Solved

Necessity log4j version 1.xxxxxx

  • 8 February 2022
  • 5 replies
  • 9 views
J
Badge +1

Hello all,

 

Our IT department has the policy to remove all the vulnarible Log4j related files from the systems which came from a server scan.

 

We have a FME server 2020.1 with engine 2020.2.5

The scan gives the following files:

 

C:\\Program Files\\FMEServer\\Server\\fme\\plugins\\activemq-all-5.6.0.jar

C:\\Program Files\\FMEServer\\Server\\fme\\plugins\\log4j-1.2.16.jar

C:\\Program Files\\FMEServer\\Server\\FMEEngineUpgrade\\plugins\\activemq-all-5.6.0.jar

C:\\Program Files\\FMEServer\\Server\\FMEEngineUpgrade\\plugins\\log4j-1.2.16.jar

C:\\Program Files\\FMEServer\\Server\\lib\\log4j-1.2.14.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmeapiv4.war

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmeapiv4\\WEB-INF\\lib\\logback-classic-1.2.3.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmerest.war","WEB-INF/lib/log4j-1.2.14.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmerest\\WEB-INF\\lib\\log4j-1.2.14.jar

 

What would be the effect off removing all these files to the working of FME server?

For example, would it demolish or influence the logging system of FME server?

 

With kind regards,

 

John van der Kleijn

icon

Best answer by nielsgerrits 8 February 2022, 14:46

View original

5 replies

nielsgerrits
Rank
Userlevel 6
Badge +32

Have you checked the article Is FME Affected by the Security Vulnerability Reported Against log4j? already?

hkingsbury
Rank
Userlevel 5
Badge +29

check out that article that @nielsgerrits​  posted.

I would not advise one bit to remove any logging from FME Server. As a hypothetical scenario, if you removed all those log4j files I would imagine one of two scenarios taking place:

  1. FME Server continues to run, with no logging, errors popup when you try to load any logs
  2. FME Server doesn't run as it is missing dependencies (and with no logging how're you going to find the issue?)
Check out the Abley FME Firesides on Youtube: https://www.youtube.com/@ableyltd
J
Badge +1

Yes, we checked the article en replied the content to our IT department.

They do not agree.

 

Our IT department wants to remove all log4jv1.xxx from the servers.

There motivation is that log4j1... is out of support. (2015)

Therefore the question about removing Log4j1.xxx

 

can it be that log4j1.. comes with the FME installatieon, but is not used?

If that is the case maybee it can be removed.

If not, what is the policy from Safe upgrading log4j1... to a newer version?

 

Regards en thank's fotr the reply,

 

John van der Kleijn

hkingsbury
Rank
Userlevel 5
Badge +29

Yes, we checked the article en replied the content to our IT department.

They do not agree.

 

Our IT department wants to remove all log4jv1.xxx from the servers.

There motivation is that log4j1... is out of support. (2015)

Therefore the question about removing Log4j1.xxx

 

can it be that log4j1.. comes with the FME installatieon, but is not used?

If that is the case maybee it can be removed.

If not, what is the policy from Safe upgrading log4j1... to a newer version?

 

Regards en thank's fotr the reply,

 

John van der Kleijn

I think in that case it would be best to open up a support ticket and/or have a chat with your reseller contact

Check out the Abley FME Firesides on Youtube: https://www.youtube.com/@ableyltd
J
Badge +1

Thank's for the reply. I Opened a support ticket.

Reply


Community Stats

28,670
Posts
109,365
Replies
36,531
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.