We are running Gluu 4.3.1, but we are still getting alerts about Log4J

By: Peter Speden user 21 Sep 2023 at 11:31 a.m. CDT

2 Responses
Peter Speden gravatar
Running sudo ls -l /proc/*/fd | grep -Eo '\S+\/commons-text\S+jar' | uniq 2> /dev/null Returns these 2 files, which we are getting told are vulnerable. /opt/jetty-9.4/temp/jetty-localhost-8081-oxauth_war-_oxauth-any-2362823115994552055/webapp/WEB-INF/lib/commons-text-1.9.jar /opt/jetty-9.4/temp/jetty-localhost-8082-identity_war-_identity-any-9807883900994764559/webapp/WEB-INF/lib/commons-text-1.9.jar Is there something else we need to do
Gluu 4.3 Ubuntu 20.04
closed

Answers

By Michael Schwartz Account Admin 21 Sep 2023 at 11:59 a.m. CDT

Copy
Michael Schwartz gravatar
4.3 was released September 2021... so that's correct. You need to upgrade to version 4.5.2

By Peter Speden user 21 Sep 2023 at 8:58 p.m. CDT

Copy
Peter Speden gravatar
Hi How risky is the upgrade from 4.3.1 to 4.5.2. I am trying to gauge the effort required to get it working again if there is a major shift. It's disappointing that this is the answer, given that 4.3.1 was said to be the fix for Log4J, and that 4.3.1 still under support as far as I am aware.

Post an answer