Skip to main content

Hello all,

 

Our IT department has the policy to remove all the vulnarible Log4j related files from the systems which came from a server scan.

 

We have a FME server 2020.1 with engine 2020.2.5

The scan gives the following files:

 

C:\\Program Files\\FMEServer\\Server\\fme\\plugins\\activemq-all-5.6.0.jar

C:\\Program Files\\FMEServer\\Server\\fme\\plugins\\log4j-1.2.16.jar

C:\\Program Files\\FMEServer\\Server\\FMEEngineUpgrade\\plugins\\activemq-all-5.6.0.jar

C:\\Program Files\\FMEServer\\Server\\FMEEngineUpgrade\\plugins\\log4j-1.2.16.jar

C:\\Program Files\\FMEServer\\Server\\lib\\log4j-1.2.14.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmeapiv4.war

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmeapiv4\\WEB-INF\\lib\\logback-classic-1.2.3.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmerest.war","WEB-INF/lib/log4j-1.2.14.jar

C:\\Program Files\\FMEServer\\Utilities\\tomcat\\webapps\\fmerest\\WEB-INF\\lib\\log4j-1.2.14.jar

 

What would be the effect off removing all these files to the working of FME server?

For example, would it demolish or influence the logging system of FME server?

 

With kind regards,

 

John van der Kleijn

Have you checked the article Is FME Affected by the Security Vulnerability Reported Against log4j? already?


check out that article that @nielsgerrits​  posted.

I would not advise one bit to remove any logging from FME Server. As a hypothetical scenario, if you removed all those log4j files I would imagine one of two scenarios taking place:

  1. FME Server continues to run, with no logging, errors popup when you try to load any logs
  2. FME Server doesn't run as it is missing dependencies (and with no logging how're you going to find the issue?)

Yes, we checked the article en replied the content to our IT department.

They do not agree.

 

Our IT department wants to remove all log4jv1.xxx from the servers.

There motivation is that log4j1... is out of support. (2015)

Therefore the question about removing Log4j1.xxx

 

can it be that log4j1.. comes with the FME installatieon, but is not used?

If that is the case maybee it can be removed.

If not, what is the policy from Safe upgrading log4j1... to a newer version?

 

Regards en thank's fotr the reply,

 

John van der Kleijn


Yes, we checked the article en replied the content to our IT department.

They do not agree.

 

Our IT department wants to remove all log4jv1.xxx from the servers.

There motivation is that log4j1... is out of support. (2015)

Therefore the question about removing Log4j1.xxx

 

can it be that log4j1.. comes with the FME installatieon, but is not used?

If that is the case maybee it can be removed.

If not, what is the policy from Safe upgrading log4j1... to a newer version?

 

Regards en thank's fotr the reply,

 

John van der Kleijn

I think in that case it would be best to open up a support ticket and/or have a chat with your reseller contact


Thank's for the reply. I Opened a support ticket.


Reply