Upgrade Apache Log4j Core JAR File On Discovery MID Servers From 2.16.0 To 2.17.x?

Tom Rausch
Tera Guru

When will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the ServiceNow Discovery -MID Servers from 2.16.0 to 2.17.0?

Discussion

The article KB1000959 - Apache Log4j Vulnerabilities (Multiple CVEs) suggests upgrading ServiceNow to Quebec Patch 9 Hot Fix 3 to solve the Apache Log4 vulnerability.

The Quebec Patch 9 Hot Fix 3 updates the Apache Log4j Core JAR file "log4j-core.jar" from version 2.14.0 to 2.16.0. Version 2.16.0 of the file "log4j-core.jar" fixes the JNDI vulnerability. However, version 2.16.0 of the file still has a Denial of Service  (DoS) vulnerability. This DoS vulnerability is fixed in version 2.17.0 of the file.

Therefore, the question now is, when will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the MID Servers from 2.16.0 to 2.17.0?

Reference

6 REPLIES 6

fred_sangokoya
Tera Contributor

I also want to add that there is a vulnerability with 2.17.0, and the KB for the manual fix is already updated to use the 2.17.1 version - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1001211. Hopefully, the next patch will include a fix for this.

@fred.sangokoya , you are correct. We want to update to the the latest version of the vulnerable files, version 2.17.1 -- or whatever version is the latest patch at the time.

Therefore, the question now is, when will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the MID Servers from 2.16.0 to 2.17.1 (or perhaps even a version beyond 2.17.1)?

References

Luiz Guilherme
Tera Contributor

Hello all,

also if you check their KB the instance log4j used is 1.2.17 which was EOL by August 2015.

I was recommended to open an idea in the idea portal asking for the upgrade, so please help to upvote the idea so ServiceNow take it in account.

https://community.servicenow.com/community?id=view_idea&sysparm_idea_id=4d16b132db780d1007ab826305961923&sysparm_idea_table=x_snc_com_ideation_idea&sysparm_module_id=enhancement_requests

Thank you,