Problem Note 68768: A vulnerability in the Apache Log4j logging library affects Platform LSF
Severity: Critical
Description: The Apache Log4j Java logging library that is included with Platform LSF is affected by the vulnerabilities that are described in the following CVE records:
Note: Platform LSF versions 10.1.0.6 and later are affected by Apache Log4j vulnerabilities.
Platform LSF 10.1.0.12 includes the vulnerability fixes. If the Apache Log4j vulnerabilities still appear in scans for Platform LSF 10.1.0.12 and the Platform LSF resource connector is not enabled, then remove the following files:
/LSF_TOP/10.1/resource_connector/*/lib/log4j-core-2.14.1.jar
/LSF_TOP/10.1/resource_connector/*/lib/log4j-api-2.14.1.jar
Note: Platform LSF is vulnerable only if a resource connector is enabled (disabled by default)
Important: Before you apply the Platform LSF patch that is associated with this note, perform the following step:
Click the Downloads tab in this note to access the patch for this issue.
Operating System and Release Information
SAS System | Platform LSF | 64-bit Enabled AIX | 9.4 TS1M7 | |
64-bit Enabled Solaris | 9.4 TS1M7 | |
HP-UX IPF | 9.4 TS1M7 | |
Linux for x64 | 9.4 TS1M7 | |
Solaris for x64 | 9.4 TS1M7 | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Note: To remove the vulnerability for Apache Log4j in Platform LSF 10.1.0.6, install the E3K002 patch.
Note: To remove the vulnerability for Apache Log4j in Platform LSF 10.1.0.9, install the K3L003 patch.
Type: | Problem Note |
Priority: | alert |
Date Modified: | 2023-08-09 09:47:53 |
Date Created: | 2022-01-12 09:54:14 |