Skip to main content
Solved

Necessity log4j version 1.xxxxxx

  • February 8, 2022
  • 5 replies
  • 43 views
jvdkleijn_ehv
Contributor
Forum|alt.badge.img+1

Hello all,

 

Our IT department has the policy to remove all the vulnarible Log4j related files from the systems which came from a server scan.

 

We have a FME server 2020.1 with engine 2020.2.5

The scan gives the following files:

 

C:\\Program Files\\FMEServer\\Server\\fme\\plugins\\activemq-all-5.6.0.jar

C:\\Program Files\\FMEServer\\Server\\fme\\plugins\\log4j-1.2.16.jar

C:\\Program Files\\FMEServer\\Server\\FMEEngineUpgrade\\plugins\\activemq-all-5.6.0.jar

C:\\Program Files\\FMEServer\\Server\\FMEEngineUpgrade\\plugins\\log4j-1.2.16.jar

C:\\Program Files\\FMEServer\\Server\\lib\\log4j-1.2.14.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmeapiv4.war

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmeapiv4\\WEB-INF\\lib\\logback-classic-1.2.3.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmerest.war","WEB-INF/lib/log4j-1.2.14.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmerest\\WEB-INF\\lib\\log4j-1.2.14.jar

 

What would be the effect off removing all these files to the working of FME server?

For example, would it demolish or influence the logging system of FME server?

 

With kind regards,

 

John van der Kleijn

Best answer by nielsgerrits

Have you checked the article Is FME Affected by the Security Vulnerability Reported Against log4j? already?

    This post is closed to further activity.
    It may be an old question, an answered question, an implemented idea, or a notification-only post.
    Please check post dates before relying on any information in a question or answer.
    For follow-up or related questions, please post a new question or idea.
    If there is a genuine update to be made, please contact us and request that the post is reopened.

    5 replies

    nielsgerrits
    VIP
    Forum|alt.badge.img+60
    • nielsgerritsVIP
    • 2940 replies
    • Best Answer
    • February 8, 2022

    Have you checked the article Is FME Affected by the Security Vulnerability Reported Against log4j? already?

    Buckle your seatbelt Dorothy, cause Kansas is going bye-bye...
    hkingsbury
    Celebrity
    Forum|alt.badge.img+64
    • hkingsburyCelebrity
    • Celebrity
    • 1633 replies
    • February 8, 2022

    check out that article that @nielsgerrits​  posted.

    I would not advise one bit to remove any logging from FME Server. As a hypothetical scenario, if you removed all those log4j files I would imagine one of two scenarios taking place:

    1. FME Server continues to run, with no logging, errors popup when you try to load any logs
    2. FME Server doesn't run as it is missing dependencies (and with no logging how're you going to find the issue?)
    jvdkleijn_ehv
    Contributor
    Forum|alt.badge.img+1
    • jvdkleijn_ehvContributor
    • Author
    • Contributor
    • 7 replies
    • February 10, 2022

    Yes, we checked the article en replied the content to our IT department.

    They do not agree.

     

    Our IT department wants to remove all log4jv1.xxx from the servers.

    There motivation is that log4j1... is out of support. (2015)

    Therefore the question about removing Log4j1.xxx

     

    can it be that log4j1.. comes with the FME installatieon, but is not used?

    If that is the case maybee it can be removed.

    If not, what is the policy from Safe upgrading log4j1... to a newer version?

     

    Regards en thank's fotr the reply,

     

    John van der Kleijn

    hkingsbury
    Celebrity
    Forum|alt.badge.img+64
    • hkingsburyCelebrity
    • Celebrity
    • 1633 replies
    • February 10, 2022

    Yes, we checked the article en replied the content to our IT department.

    They do not agree.

     

    Our IT department wants to remove all log4jv1.xxx from the servers.

    There motivation is that log4j1... is out of support. (2015)

    Therefore the question about removing Log4j1.xxx

     

    can it be that log4j1.. comes with the FME installatieon, but is not used?

    If that is the case maybee it can be removed.

    If not, what is the policy from Safe upgrading log4j1... to a newer version?

     

    Regards en thank's fotr the reply,

     

    John van der Kleijn

    I think in that case it would be best to open up a support ticket and/or have a chat with your reseller contact

    jvdkleijn_ehv
    Contributor
    Forum|alt.badge.img+1
    • jvdkleijn_ehvContributor
    • Author
    • Contributor
    • 7 replies
    • February 11, 2022

    Thank's for the reply. I Opened a support ticket.

    Community Stats

    32,108
    Posts
    121,906
    Replies
    39,752
    Members

    Latest FME

    Terms & ConditionsCookie settingsAccessibility statement
    A product of
    Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.