Log4j library of Mid Servers

Joanna15
Tera Expert

‎01-04-2022 06:50 PM

The Now Support KB article about Log4J (https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000959) says: The MID Server, similarly, is not vulnerable to this exploit but does contain an unused, but potentially vulnerable, version of the log4J library.

Our mid-servers are on Rome and with a higher version of open JDK (1.8.0_231). Meanwhile we still see log4j-core.jar files 2.14.0.0 in the mid server installation folders (Event Management, Discovery, RemoteFile, etc). The question is if this version of log4j-core.jar is not being used, can these log4j-core.jar files be safely removed? Is there a good way to clean them up?

Labels:
0 Helpfuls
  • 2,590 Views
6 REPLIES 6

Allen Andreas
Administrator
Administrator

‎01-04-2022 06:57 PM

Hi,

Please see ServiceNow's response here: https://community.servicenow.com/community?id=community_question&sys_id=9f0798fedb144d5439445ac2ca96... -- which does link to the support KB article you posted, but from what they're saying, it's not vulnerable and logging is off for 3rd party anyway.

For an emergency fix:

You can implement an emergency fix right now. Find any/all files named log4j-core-2*.jar and remove the file org/apache/logging/log4j/core/lookup/JndiLookup.class from them and restart the MID server.

Otherwise, there should be instructions on how to upgrade to 2.16 hotfix.

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Maik Skoddow
Tera Patron
Tera Patron

‎01-04-2022 06:57 PM

Hi @Joanna 

did you also notice the Q&A section with the following question/answer:

How can I see the JDK versions used by my MID Servers?  

A: Customers can confirm the JVM version by going to their MID server list and adding the JVM Version column. This will show them the current JVM version they are on. Instructions on how to do this are in KB1001243 

Please note, the MID Server code does not use log4j directly and has turned off log4j for third-party libraries that it uses.  

To my understanding you could rename the respective JAR files, restart the MID server and check what happens.

Kind regards
Maik

0 Helpfuls

Joanna15
Tera Expert
In response to Maik Skoddow

‎01-04-2022 07:08 PM

Hi Maik - thank you for the response. Yes, we did check the JDK version of the mid-servers and confirmed we are on a higher version as Rome should be. However we still notice older log4j 2.14 files in some of the mid-server folders. That is why I wonder if we can physically remove these files without an impact to the mid-servers. 

0 Helpfuls

Maik Skoddow
Tera Patron
Tera Patron
In response to Joanna15

‎01-04-2022 07:14 PM

Hi @Joanna

at the moment, I'm not sure whether an upgrade implies removal of old, unused files.

You have two ways: You ask ServiceNow via Support Ticket or you rename the existing MID Server folder and install a fresh version. This way you can compare both version.

Kind regards
Maik