Fortify Software Security Center & CVE-2021-44228

Fortify SSC v20.* is vunerable with respect to CVE-2021-44228.

Any experience using the Log4J settings work around? 

Parents
  • In my client enviroment I've (stopped tomcat service and) replaced 

    on SSC
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-slf4j-impl-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\iidmigrator\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\iidmigrator\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\runtime-bridge\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\runtime-bridge\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-jul-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-slf4j-impl-2.14.1.jar

    on ScanCentral SAST controller
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-1.2-api-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-jcl-2.14.1.jar

    to the proper log4j-*-2.15.0.jar files extracted from latest Log4j version downloaded from logging.apache.org/.../download.html

    Can Microfocus confirm that this mitigation resolves CVE-2021-44228 vulnerability??

    thanks 

    -- 
    Pawel

Reply
  • In my client enviroment I've (stopped tomcat service and) replaced 

    on SSC
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\birtrunner\log4j-slf4j-impl-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\iidmigrator\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\iidmigrator\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\runtime-bridge\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\externallib\runtime-bridge\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-jul-2.14.1.jar
    apps\Tomcat\webapps\ssc\WEB-INF\lib\log4j-slf4j-impl-2.14.1.jar

    on ScanCentral SAST controller
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-1.2-api-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-api-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-core-2.14.1.jar
    apps\Tomcat\webapps\scancentral-ctrl\WEB-INF\lib\log4j-jcl-2.14.1.jar

    to the proper log4j-*-2.15.0.jar files extracted from latest Log4j version downloaded from logging.apache.org/.../download.html

    Can Microfocus confirm that this mitigation resolves CVE-2021-44228 vulnerability??

    thanks 

    -- 
    Pawel

Children