Security Issue: log4j-core.jar file

Posted Tue, 14 Dec 2021 00:27:01 GMT by Kelly Burns Kaiser Permanente

On our Automate servers I found log4j-core.jar file which is a security vulnerability. Will Automate be creating a patch for this and if so, what is the ETA?

Posted Tue, 14 Dec 2021 00:30:11 GMT by Kelly Burns Kaiser Permanente

And I realize that is under Oracle client however are there are any Log4j files or *.jar files used in Automate?

Also, we may be installing an application called CrowdStrike to help combat a potential vulnerability with these types of files. Will that cause any conflict with Automate?

Posted Tue, 14 Dec 2021 19:08:53 GMT by Kelly Burns Kaiser Permanente

For other customers who might be concerned, I just received this from Automate Support:

Since Automate is not using log4j, therefore it is not impacted by the log4j 2 vulnerability described in the CVE-2021-44228.
As for CrowdStrike impact on Automate, we have not experience with it, so we don't know if it could negatively impact it.

Posted Tue, 14 Dec 2021 19:24:24 GMT by Jack Dawson Sutton Place Limited Director Of It

What about with the HelpSystems Insite software that is used to manage Automate? I have found multiple instances of log4j files under the root installation folder and appears to be using it. Has anyone heard from HelpSystems if there is a patch or mitigation for this product?

Posted Thu, 16 Dec 2021 13:03:38 GMT by Gerry Muyargas Rexall Pharmacy Group Ltd. AS/400 Operations Supervisor

Do you at least have a link that shows a summary of your list of products that are or are not impacted by the CVE-2021-44228?

Posted Wed, 29 Dec 2021 16:57:39 GMT by Michael Snider WORLDPAC

Here's a list for Robot, Powertech, and Sequel products: Apache Log4j Impact On HelpSystems Products

Security Issue: log4j-core.jar file

+1 800-328-1000

[email protected]

Infrastructure Protection & Data Security

Managed Security Services

Automation

IBM i