cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

log4j patch Update

Suresh.H
New Member

Wanted to confirm on a couple of things as there has been changes in the recent past on these. 

 

  1. Saw a change in assessment for 2.17 applicability in the web site. Earlier it was mentioned that machine agent was vulnerable and that has been updated as below (that machine agent is not vulnerable). We are presuming that this is the final assessment and going ahead with this in mind.

SureshH_0-1640174745834.png

 

  1. Earlier we noticed that build 21.12.4 was published on 17-Dec and we saw an updated build on 20-Dec. We are packaging this build (on 20-Dec) along with our binaries.

Please confirm that this is the final official build for 21.12.4 and we will get official support in case of any issues ?

Also, if there are changes to the build, can those be published with newer version numbers as it becomes easy to understand and manage. Having same version with build date change is confusing and cause issues based on when we pick the build.

1 REPLY 1

Michelle.Koblas
AppDynamics Team (Retired)

Yes, your analysis and understanding are correct.  For the Machine Agent, we determined that it is not vulnerable to CVE-2021-45105.  Recognizing that many of the security scanners used by our customers will not be able to make this distinction and will flag the product as vulnerable just due to the library version, our team has taken proactive measures to upgrade the log4j version used, which is why there is a 21.12.4 version of the Machine Agent.