1 Reply Latest reply on Jan 3, 2022 4:42 AM by Ashwini Ramakrishna

    log4j vulnerability on scan

    Todd Springett New Member

      Hello, we use Informatica in conjunction with Our HR UltiPro app. We have the secure agent running on an in house server. The security team at my company is reporting that the log4j vulnerability has been detected in the install directory for the secure agent. I've contacted UltiPro support to which they just point me to the informatica log4j update page. As far as I understand it the secure agent is updated automatically. In the runtime environment area it shows that it is up to date. I've also followed the optional steps to update the jar and war files. When the scan is run it still reports the vulnerability. Not sure if all is ok or if there is still something to do??

       

      Scan report

      [Yesterday 7:18 AM]

      Windows Process Found : '"C:\\PROGRA~1\\INFORM~1\\apps\\jdk\\1.8.0_Zulu8.56.0.22_302_SA\\jre/bin/java.exe" -Xms256m -Xmx3072m "-XX:+HeapDumpOnOutOfMemoryError" "-Dlog4j2.formatMsgNoLookups=true" -classpath "C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\tomcatEightApp-1.0.3.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\guava-30.0-jre.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\tomcat-embed-core-9.0.54.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\agent-apps-common-1.0.0-MRel.581.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\saas-common-1.0.0-MRel.581.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\encoder-1.2.1.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\commons-codec-1.9.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\log4j-1.2-api-2.13.2.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\log4j-core-2.13.2.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\failureaccess-1.0.1.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\jsr305-3.0.2.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\checker-qual-3.5.0.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\error_prone_annotations-2.3.4.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\j2objc-annotations-1.3.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\tomcat-annotations-api-9.0.54.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\lib\\log4j-api-2.13.2.jar;C:\\PROGRA~1\\INFORM~1\\apps\\OpsInsightsDataCollector\\24.1.1\\bin\\..\\conf" com.informatica.agentapp.tomcateight.App '

       

      T