Log4j warning after installing COMSOL 6.3

Problem Description

After installing COMSOL 6.3 my security scan gives a log4j warning pointing to

C:\Program Files\COMSOL\COMSOL63\Multiphysics\license\win64\lmadmin\examples\alerter\lib\log4j-core-2.17.0.jar

Solution

COMSOL Version 6.3 is not vulnerable itself. The package indicated in the warning belongs to a third-party tool, lmadmin, which is an alternate tool for license handling that is not used by default. According to the lmadmin developers this license handling tool should not be exposed to this vulnerability. Please see CVE-2021-44832 Log4j vulnerability impact on FlexNet Publisher for more information.

If you are not using lmadmin as the license handling tool on your computer, you can safely remove the entire lmadmin directory. If you are using lmadmin on your computer, you can remove the lmadmin\examples directory instead. However, if you are using the alerter functionality in lmadmin, you need to keep the directory and patch the log4j files according to the workaround explained in Vulnerability: CVE-2021-44832 Log4j vulnerability impact on FlexNet Publisher.

種類ごとに閲覧