webMethods IS used and 10.11 & 10.3 level:

We are getting lot of vulnerabilities during scans because of log4j and planning to upgrade to log4j2 latest version, can someone suggest how can plan our upgrade activity.

If possible please confirm what all files/jars needs to be updated.

Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-45046) (Log4Shell) Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-44832)
EOL/Obsolete Software: Apache Log4j 1.X Detected
Apache Log4j 1.2 Remote Code Execution Vulnerability

Hi Rohit,

hopefully you have support contracts with SAG (Extended for 10.3) in place.
SAG has released Fixes for this third party component to remediate these vulnerabilities already.

For 10.3 this should be at least TPP_10.3_log4J_Fix2, which updates to log4j 1.2.18.3.
For 10.11 this should be at least TPP_10.11_Loggers_Fix1 and TPS_10.11_Loggers_Fix1, which updates to log4j 2.16.0.

You should consider upgrading both versions to wM 10.15 as soon as possible.

Regards,
Holger

Thanks holder, we upgraded fixes on 10.11 and the log4j is updated to 2.17.1.
We’ll upgrade our 10.3 server to 10.11 soon.

EOM for 10.11 is Oct 2024. You should plan to move to 10.15 instead.

I suggest upgrading the webMethods version instead of just updating log4j. There are probably a lot more vulnerabilities since that version stopped receiving updates.

Hi SARLAK,

Thanks for your suggestion and information. We will check with our manager and update here.

Regards,
Sravya.