api-manager icon indicating copy to clipboard operation
api-manager copied to clipboard
verified publisher icon wso2

[Analytics 2.5.0] log4j files within APIM Analytics 2.5.0 pack.

Open Hamool-Nizar opened this issue 1 year ago • 0 comments

Description

We recently have recently carried out vulnerability scans on APIM servers and has discovered that log4j v1.x files are still present in the latest updated APIM Analytics version 2.5.0 package.

Upon further investigation, we discovered that in other products (such as APIM 2.5.0, APIM 2.6.0, APIM Analytics 2.6.0), to mitigate the known vulnerabilities of Apache Log4j v1.x (related to Security Advisory WSO2-2022-1828) the related jars have been removed and the dependency has been replaced with Reload4j 1.2.19.

The security update has also been applied to APIM Analytics 2.5.0 (through WSO2 Carbon 4.4.X Update 2022-04-18). However, even though the reload4j jar files have been added, the existing log4j v1.x jar files have not been removed. As a result, these jars still remain in the latest updated (37) APIM Analytics 2.5.0 package.

Since this seems to be a defect in the security update, could you please provide a solution/fix to resolve this issue.

Best regards, Hamool

Steps to Reproduce

  1. Update the APIM Analytics version 2.5.0 to the latest level.
  2. Check for log4j v1.x files within the APIM Analytics version 2.5.0.

Affected Component

Analytics

Version

2.5.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response

Hamool-Nizar avatar Apr 02 '24 05:04 Hamool-Nizar