A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. Find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html
ManageEngine products bundled with vulnerable Log4j2:
| Product name | Jar version in bundled dependency |
| ADManager Plus | V2.11.1 |
| ADAudit Plus | V2.10.0 |
| DataSecurity Plus | V2.10.0 |
| EventLog Analyzer | V2.9.1 |
| M365 Manager Plus | V2.11.1 |
| RecoveryManager Plus | V2.11.1 |
| Exchange Reporter Plus | V2.11.1 |
| Log360 | V2.9.1 |
| Log360 UEBA | V2.11.1 |
| Cloud Security Plus | V2.9.1 |
Please note that we have not identified any exploitable cases due to Log4j2 in the above products as we do not use Log4j directly for logging. But, some of the third parties we use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below:
- ADManager Plus
- ADAudit Plus
- DataSecurity Plus
- EventLog Analyzer
- M365 Manager Plus
- RecoveryManager Plus
- Exchange Reporter Plus
- Log360
- Log360 UEBA (steps detailed in comments of ManageEngine PitStop post here)
- Cloud Security Plus (steps detailed in comments of ManageEngine PitStop post here)
*** Other ManageEngine products that are not listed above are not impacted by this vulnerability ***
We are continuing to analyze the issue and will update this advisory if any new information becomes available.For any additional details or assistance, please contact security@manageengine.com
This article is relevant to:
ManageEngineSecurity AdvisoryOther recent articles in the same category
You may be interested in these other recent articles
Unmerging Requests in ServiceDesk Plus Cloud: Analysis
10 December 2024
Managing helpdesk systems like ServiceDesk Plus Cloud often brings complex scenarios that require in-depth analysis and tailored solutions. Recently, Set3 Solutions, the award-winning UK technology…
Read moreLatest Updates for ManageEngine ServiceDesk Plus On-Premise
9 December 2024
Discover the latest ServiceDesk Plus updates, including new features, fixes, and enhancements.
Read moreLatest Updates for ManageEngine ServiceDesk Plus Cloud
6 December 2024
Discover the latest ServiceDesk Plus Cloud updates, including new features, fixes, and enhancements.
Read moreLatest Updates for ManageEngine Endpoint Central
5 December 2024
Discover the latest Endpoint Central updates, including new features, fixes, and enhancements.
Read moreImprove Endpoint Security with Endpoint Central: Key Features and Benefits
28 November 2024
Endpoint Central (formerly Desktop Central) has undergone a name change and introduced Endpoint Security to help organisations better safeguard their endpoints. According to a study…
Read more