This patch release includes a fix for CVE-2021-44228 and CVE-2021-45046 vulnerabilities. This patch is supported for the following versions of the product:
Access Manager 4.5 Service Pack 5
Access Manager Appliance 4.5 Service Pack 5
In this Section
This release fixes the following Log4J vulnerability issues:
IMPORTANT:In a cluster setup, ensure that you install the patch on each node of the Access Manager setup.
Download the patch file from the Software License and Download portal.
For information about how to download the product from this portal, watch the following video:
Table 1 Files Available for Access Manager Patch Release for the Log4J Vulnerability:
|
Filename |
Description |
|---|---|
|
AM_log4j_Patch_Linux64.tar.gz |
Contains the Log4j vulnerability fix for Access Manager (Administration Console, Identity Server, Access Gateway) on Linux and Access Manager Appliance. |
|
AM_log4j_Patch_Windows64.zip |
Contains the Log4j vulnerability fix for Access Manager (Administration Console, Identity Server, Access Gateway) on Windows. |
|
AM_log4j_AnalyticsServer_Patch.tar.gz |
Contains the Log4j vulnerability fix for Analytics Server. |
IMPORTANT:
During installation of the patch, all running services are stopped temporarily. After the patch is installed, all services are restarted.
After installing this patch, the version number of Access Manager components is not changed.
Access Manager on Linux and Access Manager Appliance
Extract the patch file by using the tar xvf AM_log4j_Patch_Linux64.tar.gz command.
Go to the location where you have extracted the patch files.
Run the install_patch.sh script in the extracted AM_log4j_Patch_Linux64 folder as a root or root equivalent user.
To validate whether the patch is applied successfully, run the following command and check the jar versions are 2.16.0:
find / -name log4j-core*.jar
Access Manager on Windows
Unzip the AM_log4j_Patch_Windows64.zip file.
The extracted folder AM_log4j_Patch_Windows64 contains the install_patch.bat file.
Go to the location where you have extracted the patch files.
Run install_patch.bat as an administrator or start a command prompt as an administrator and run the batch file. You must run the batch file inside the extracted AM_log4j_Patch_Windows64 folder.
To validate whether the patch is applied successfully, search for the log4j jar in the file explorer and check the version. The version must be 2.16.0.
Analytics Server
Extract the patch file by using the tar xvf AM_log4j_AnalyticsServer_Patch.tar.gz command.
Go to the location where you have extracted the patch files.
Run the ar_install_patch.sh script in the extracted AM_log4j_AnalyticsServer_Patch folder as a root or root equivalent user.
To validate whether the patch is applied successfully, run the following command:
find / -name log4j*.jar | xargs grep org/apache/logging/log4j/core/lookup/JndiLookup.class
NOTE:You might see log4j-core-2.16.0.jar in /opt/novell/devman/jcc/lib/. Ignore that as it is not vulnerable.
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
Product documentation, Knowledge Base articles, and videos: https://www.microfocus.com/support-and-services/
The Micro Focus Community pages: https://www.microfocus.com/communities/
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.
© Copyright 2021 Micro Focus or one of its affiliates.