Skip to main content
Solved

Unsupported jar version

  • 24 July 2023
  • 1 reply
  • 66 views

Forum|alt.badge.img+1

Log4J vulnerability Commvault based on Nessus scan finding.

Unsupported file version:

D:\Program Files\Commvault\ContentStore\WebConsole\WEB-INF\lib\log4j-over-slf4j-1.7.32.jar

 

We have updated Commvault version to 11.28.68 and other unsupported files were updated/deleted but not this one. How can it be updated to newer/supported version?

Best answer by Nutan Pawar G

@Emilian

Path : \WebConsole\WEB-INF\lib\log4j-over-slf4j-1.7.32.jar
 
The log4j-over-slf4j library is used to remove dependencies on the actual log4j library from applications. It is not log4j, and it is not vulnerable to the security issues that affect log4j.
 
Any automated security scanner that performs lookups against a database of known CVEs could determine this immediately. The customer can see for themselves by comparing the “Vulnerabilities” columns of the libraries on mvnrepository:
 
Log4j 1.x: https://mvnrepository.com/artifact/log4j/log4j
log4j-over-slf4j: https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j (no vulnerabilities present)

 

Note: We do not use any vulnerable Log4J files anymore in Commvault and We are only using Log4J 2.17.1 and above.

With Commvault Platform Release 11.30 the old ones is removed so we should be good to clean these manually if needed.

 

View original
Did this answer your question?

1 reply

Forum|alt.badge.img+8

@Emilian

Path : \WebConsole\WEB-INF\lib\log4j-over-slf4j-1.7.32.jar
 
The log4j-over-slf4j library is used to remove dependencies on the actual log4j library from applications. It is not log4j, and it is not vulnerable to the security issues that affect log4j.
 
Any automated security scanner that performs lookups against a database of known CVEs could determine this immediately. The customer can see for themselves by comparing the “Vulnerabilities” columns of the libraries on mvnrepository:
 
Log4j 1.x: https://mvnrepository.com/artifact/log4j/log4j
log4j-over-slf4j: https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j (no vulnerabilities present)

 

Note: We do not use any vulnerable Log4J files anymore in Commvault and We are only using Log4J 2.17.1 and above.

With Commvault Platform Release 11.30 the old ones is removed so we should be good to clean these manually if needed.

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings