Is it safe to delete old log4j files?

Matt Weisberg 2 months ago

Security scanner against NAM 5.0.3 servers is still finding a lot of instances of log4j 1.2. Wonder why they are left behind and is it safe to just delete all of these:

Admin Console:
/var/opt/novell/iManager/nps/WEB-INF/lib/log4j-1.2.17.jar
/opt/netiq/common/tomcat/webapps/roma/WEB-INF/lib/log4j-1.2-api-2.17.1.jar
/opt/novell/devman/bin/log4j-1.2-api-2.17.1.jar

IdP:
/opt/novell/nids/lib/webapp/WEB-INF/lib/log4j-1.2-api-2.17.1.jar
/opt/novell/devman/jcc/lib/log4j-1.2-api-2.17.1.jar

AG:
/opt/novell/devman/jcc/lib/log4j-1.2-api-2.17.1.jar
/opt/novell/nesp/lib/webapp/WEB-INF/lib/log4j-1.2-api-2.17.1.jar

Thanks.

Matt

0 Matt Weisberg 2 months ago

I also looked al the RPMs in 5.0.3 and these jar's are all still in the shipping code.

Matt
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Matt Weisberg 2 months ago

After looking a bit closer, I think only the log4j-1.2.17.jar in the iManager structure is suspect/vulnerable. I believe the others are used to bridge the APIs between 1.2 and 2.17.1. But why is there still a vulnerable log4j jar included in 5.0.3?

Matt
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Menu

NetIQ Access Manager

Is it safe to delete old log4j files?

Resources