Upgrade Apache Log4j Core JAR File On Discovery MID Servers From 2.16.0 To 2.17.x?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2022 08:55 AM
When will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the ServiceNow Discovery -MID Servers from 2.16.0 to 2.17.0?
Discussion
The article KB1000959 - Apache Log4j Vulnerabilities (Multiple CVEs) suggests upgrading ServiceNow to Quebec Patch 9 Hot Fix 3 to solve the Apache Log4 vulnerability.
The Quebec Patch 9 Hot Fix 3 updates the Apache Log4j Core JAR file "log4j-core.jar" from version 2.14.0 to 2.16.0. Version 2.16.0 of the file "log4j-core.jar" fixes the JNDI vulnerability. However, version 2.16.0 of the file still has a Denial of Service (DoS) vulnerability. This DoS vulnerability is fixed in version 2.17.0 of the file.
Therefore, the question now is, when will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the MID Servers from 2.16.0 to 2.17.0?
Reference
- Labels:
-
Discovery
- 2,108 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2022 10:59 AM
I also want to add that there is a vulnerability with 2.17.0, and the KB for the manual fix is already updated to use the 2.17.1 version - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1001211. Hopefully, the next patch will include a fix for this.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2022 05:05 PM
Therefore, the question now is, when will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the MID Servers from 2.16.0 to 2.17.1 (or perhaps even a version beyond 2.17.1)?
References
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2022 10:33 AM
Hello all,
also if you check their KB the instance log4j used is 1.2.17 which was EOL by August 2015.
I was recommended to open an idea in the idea portal asking for the upgrade, so please help to upvote the idea so ServiceNow take it in account.
https://community.servicenow.com/community?id=view_idea&sysparm_idea_id=4d16b132db780d1007ab826305961923&sysparm_idea_table=x_snc_com_ideation_idea&sysparm_module_id=enhancement_requests
Thank you,

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2022 12:51 PM
I upvoted the Idea "Remediate the MID Server log4j library versions that are vulnerable to known exploits through patchi...". Thank you for posting this Idea.