Article Number
000068176
Applies To
This is a known issue in the following versions.
- SecurID Governance & Lifecycle 7.5.2 P03
This issue only occurs for customers who originally applied 7.5.2 GA version and patched manually to 7.5.2 P03.
Customers who installed 7.5.2 P03 directly are not susceptible to this issue.
Issue
Vulnerability scanners may still detect legacy versions of log4j 1.2 files even after applying the 7.5.2 P03 (or later) patch that updates the log4j files to the latest versions.
/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/log4j-1.2.17.jar-ac85bf9ec2e9f73b/log4j-1.2.17.jar
/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/aveksa.war-17e64ca16167e125/VaronisCollector1/lib/log4j-1.2.17.jar
/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/aveksa.war-17e64ca16167e125/HL7AccountCollector1/lib/log4j-1.2.17.jar
/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/aveksa.war-17e64ca16167e125/HL7EntitlementCollector1/lib/log4j-1.2.17.jar
Cause
Although legacy log4j files are removed from the main aveksa application the patch updater fails to identify that these files need to be removed for legacy collectors.
This issue only occurs during patching. The release version of 7.5.2 P03 that is installed as an installer are not affected.
Resolution
This issue is resolved in the following versions.
- SecurID Governance & Lifecycle 7.5.2 P07
