Upgrade Apache Log4j Core JAR File On Discovery MID Servers From 2.16.0 To 2.17.x?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2022 08:55 AM
When will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the ServiceNow Discovery -MID Servers from 2.16.0 to 2.17.0?
Discussion
The article KB1000959 - Apache Log4j Vulnerabilities (Multiple CVEs) suggests upgrading ServiceNow to Quebec Patch 9 Hot Fix 3 to solve the Apache Log4 vulnerability.
The Quebec Patch 9 Hot Fix 3 updates the Apache Log4j Core JAR file "log4j-core.jar" from version 2.14.0 to 2.16.0. Version 2.16.0 of the file "log4j-core.jar" fixes the JNDI vulnerability. However, version 2.16.0 of the file still has a Denial of Service (DoS) vulnerability. This DoS vulnerability is fixed in version 2.17.0 of the file.
Therefore, the question now is, when will ServiceNow upgrade the Apache Log4j Core file "log4j-core.jar" on the MID Servers from 2.16.0 to 2.17.0?
Reference
- Labels:
-
Discovery
- 2,205 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2022 12:55 PM
I opened ServiceNow Case CS5826929 Upgrade Apache Log4j Core JAR File On Discovery MID Servers From 2.16.0 To 2.17.1? I pose the same question in this Case. Here is the reply from ServiceNow.
At the moment we do not have any patch with log4j 2.17.1. If you need, you can follow the manual steps to upgrade to 2.0.17 based on KB KB1001211.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2022 06:52 AM
Latest information is from 2022-03-08
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000959
