Skip to main content
Start a Conversation

Solved!

Go to Solution

dbenz03

3 Posts

770

January 6th, 2023 07:00

Dell Storage Manager Client log4j 1.2.13

I'm using the latest version of Dell Storage Manager (20.1.10.79) and I see some of the log4j components have been updated to the 2.17 version, but there is a still a log4j 1.2.13 jar file present. I realize this isn't the vulnerable 2.x version, but it is long out of support and my info sec team is flagging it.

Is it safe to just delete this jar file, is it a necessary part of DSM? Is there another remediation or workaround for this?

Thanks

DELL-Chris H

Moderator

 • 

8.8K Posts

March 28th, 2024 18:55

Eprise,

 

Based on the article here, it looks like it was corrected on version 10.1.2.

 

Let me know if this helps.

 

 

dbenz03

3 Posts

January 6th, 2023 12:00

C:\Program Files (x86)\Dell\Enterprise Manager\msagui\lib\log4j-1.2.13.jar

DELL-Charles R

Moderator

 • 

3.7K Posts

January 6th, 2023 12:00

Hello dbenz03,

 

I will need to check in to this. I don't know the implication of deleting DSM files.

 

Do you have the exact file name(s) you are concerned about?

DELL-Charles R

Moderator

 • 

3.7K Posts

January 6th, 2023 12:00

Thank you dbenz03

DELL-Charles R

Moderator

 • 

3.7K Posts

January 9th, 2023 10:00

Hello dbenz03,

 

The scan warning for specifically file log4j-1.2.13.jar has been confirmed as a false positive.

The file cannot be deleted and is safe to ignore the relevant warnings.

Development is looking at the possibility of removing log4j 1.x from DSM in the future but there is no ETA as of now.

Eprise

2 Posts

March 28th, 2024 18:43

@DELL-Charles R​ Any update on this fix? This post was over a year ago. Was a patch ever released so that we do not need to mark this as a false positive finding?

Eprise

2 Posts

March 28th, 2024 19:02

@DELL-Chris H​ Thank you Chris!

Jason_DM

1 Rookie

 • 

1 Message

May 9th, 2024 16:06

@Eprise

The log4j 1.2.13 jar file still present in 20.1.2 that @DELL-Chris H mentions. While this version remediates the log4j vulnerability, it contains this very old file that the OP originally inquired about.

Install the latest version, at the moment it's 20.1.20. I can confirm the log4j 1.2.13 jar is no longer in present and was removed at some point.

(edited)

View More

View All

No Events found!

Top