Summary

A vulnerability identified as CVE-2021-44228 and CVE-2021-45105 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products.

Problem Description

Upon analysis, CVE-2021-44228 and CVE-2021-45105 have been determined to impact the optional part of alerter module under examples with the (FlexNet Publisher 64-bit License Server Manager) lmadmin.

Resolution

IMPORTANT: FlexNet Publisher is not vulnerable to log4j vulnerability. It is just used in the example. Customers can also modify on their own.

Log4j version has been upgraded to 2.17.0 and an updated version of FlexNet Publisher 11.18.3.1 is now available in the Product and License Center.

Workaround

For older versions of FlexNet Publisher other than 11.18.3.1, you can follow this workaround.

1. Download the latest version of log Log4j, like 2.15 or 2.16 or 2.17, and then replace each of the files in this path with its corresponding updated file:
   
   C:\Program Files\FlexNet Publisher 64-bit License Server Manager\examples\alerter\lib
   
   
2. Replace these files:
   
   log4j-1.2-api-2.13.3.jar
log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
   
   with these files:
   
   log4j-1.2-api-2.16.0.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
   
   or these files:
   
   log4j-1.2-api-2.17.0.jar
log4j-api-2.17.0.jar
log4j-core-2.17.0.jar