A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. Find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html

ManageEngine products bundled with vulnerable Log4j2:

Product nameJar version in bundled dependency
ADManager PlusV2.11.1
ADAudit PlusV2.10.0
DataSecurity PlusV2.10.0
EventLog AnalyzerV2.9.1
M365 Manager PlusV2.11.1
RecoveryManager PlusV2.11.1
Exchange Reporter PlusV2.11.1
Log360V2.9.1
Log360 UEBAV2.11.1
Cloud Security PlusV2.9.1

Please note that we have not identified any exploitable cases due to Log4j2 in the above products as we do not use Log4j directly for logging. But, some of the third parties we use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below:

  1. ADManager Plus 
  2. ADAudit Plus 
  3. DataSecurity Plus 
  4. EventLog Analyzer 
  5. M365 Manager Plus 
  6. RecoveryManager Plus
  7. Exchange Reporter Plus 
  8. Log360
  9. Log360 UEBA (steps detailed in comments of ManageEngine PitStop post here)
  10. Cloud Security Plus (steps detailed in comments of ManageEngine PitStop post here)

*** Other ManageEngine products that are not listed above are not impacted by this vulnerability ***

We are continuing to analyze the issue and will update this advisory if any new information becomes available.For any additional details or assistance, please contact security@manageengine.com

This article is relevant to:
ManageEngineSecurity Advisory

You may be interested in these other recent articles

ManageEngine ServiceDesk Plus Cloud Build Release Information

7 July 2024

Summary details of the current Build Release information for ManageEngine ServiceDesk Plus Cloud Edition. All upgrades are performed by the Zoho Cloud team. Should you…

Read more

ManageEngine ADSelfService Plus Build Release Information

3 July 2024

The current build release information for ManageEngine ADSelfService Plus is summarised below. Scroll down for more information. You can download the latest service packs here.…

Read more

ManageEngine Analytics Plus Build Release Information

25 June 2024

Summary details of the current build release information for ManageEngine Analytics Plus. Scroll the above to view more release details. Download the latest service packs…

Read more

ManageEngine Password Manager Pro Build Release Information

21 June 2024

The current build release information for ManageEngine Password Manager Pro is summarised below. Scroll down for more information. You can download the latest service packs…

Read more

Security Advisory – Important Security Fix Released For ManageEngine Solutions

17 June 2024

Product Name Affected Version(s) Fixed Version Fixed on Password Manager Pro 12430 and below 12431 14/06/2024 PAM360 7000 and below 7001 14/06/2024 DetailsAn SQL injection…

Read more