ZCM 23.4 on Windows Server log4j patch

Hi,

I recently upgraded my ZCM Primary from 2017 to 2020, 2020.2, then 23.4. And also preformed a Windows Server OS upgrade. After upgrading to 23.4, my network security scanners are flagging ZCM as having the log4j vulnerability. Could someone point me to the update I need to perform on ZCM 23.4 to fix the log4j vulnerability? I know, I need to migrate my ZCM primary to a Linux server but that option is not available at this time. 

Thanks,

Joe

  • Suggested Answer

    0  

    There should not be any.....

    Here is a very old document...

    https://portal.microfocus.com/s/article/KM000003058?language=en_US

    It's possible its picking up some old stray file....hard to say...

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Hi Craig,

    Thank you for the response and sorry for the delayed response. These are the files my scanner is picking up for vulnerabilities on my Zenworks Primary server 23.4.0.88. I only have the one server for Zenworks. Will the update you sent a link for fix these or should I open a support request?

    Path: \Micro Focus\ZENworks\conf\CASA\templates\CasaAuthTokenSvc.war
    Installed version: 1.2.14
    Security End of Life: August 4, 2015
    Time since Security End of Life (Est.) : >= 9 years

    Path: \Micro Focus\ZENworks\share\ats\lib\external\apache.org\log4j-1.2.14.jar
    Installed version: 1.2.14
    Security End of Life: August 4, 2015
    Time since Security End of Life (Est.) : >= 9 years

    Path: \Novell\ZENworks\ZeUS\work\prepare\5017040000fc50000000002019011514\webapps\systemupdate.war
    Installed version: 1.3
    Security End of Life: August 4, 2015
    Time since Security End of Life (Est.) : >= 9 years

    Path: \zdc\lib\java\system\log4j-1.2.15.jar
    Installed version: 1.2.15
    Security End of Life: August 4, 2015
    Time since Security End of Life (Est.) : >= 9 years

    Path: \Novell\ZENworks\work\content-repo\system-update\5020020000fc50000000002021080115\systemupdate.war
    Installed version: 2.13.0
    Fixed version: 2.15.0

    Path: \Novell\ZENworks\ZeUS\lib\20.2.0.990\log4j-core-2.13.0.jar
    Installed version: 2.13.0
    Fixed version: 2.15.0