cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
luka_hajnrihar
Level 9
Report Inappropriate Content
Message 1 of 16
‎12-11-2021 03:23 AM

LOG4J and MWG

Jump to solution

Hi!
I'm sure everyone is already aware of the new vulnerability (including McAfee; I am following the KB), but there's no word on MWG impact in there just yet.

MWG ver. 9.2.14 ships with log4j-core-2.13.2.jar & log4j-api-2.13.2.jar.
Within my understanding this classifies it as vulnerable.

Do we have any mitigations we could perform? The ones in the McAfee KB only apply to versions older than 2.10.*, what do we do here?
I did read about setting an environmental variable "LOG4J_FORMAT_MSG_NO_LOOKUPS" to "true", is there any implication with general functionality of MWG?

Thank you

10 people had this problem.
0 Kudos
Reply
2 Solutions

Accepted Solutions
marcus69
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 16
‎12-13-2021 11:39 PM

Re: LOG4J and MWG

Jump to solution

A new Release is being planned, presumably including a Hotfix:

2021-12-14 08_28_03-MWG-Log4j-Fix.jpg

See https://kc.mcafee.com/agent/index?page=content&id=SB10377

Best regards
   Marcus

P.S.: If you find this post helpful, thank You for giving it a Kudo :o)

View solution in original post

Reply
jacek
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 16
‎12-17-2021 12:27 AM

Re: LOG4J and MWG

Jump to solution

Official release notes are still in progress. They should be posted in next 24h.

 

Info from yum update:

mwg.x86_64                    10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-config.x86_64             10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-mfetsc.x86_64             10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-release.noarch            10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-ui.noarch                 10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base

 

View solution in original post

Reply
15 Replies
marcus69
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 16
‎12-13-2021 02:04 AM

Re: LOG4J and MWG

Jump to solution

Hi @luka_hajnrihar 

according to the following KB Article, MWG is not exploitable in terms of the log4j vulnerability:
https://kc.mcafee.com/corporate/index?page=content&id=KB95091

Best regards
    Marcus 

P.S.: If you find this post helpful, thank You for giving it a Kudo :o)
Reply
sodanieloliveir
Level 8
Report Inappropriate Content
Message 3 of 16
‎12-13-2021 07:10 AM

Re: LOG4J and MWG

Jump to solution
Hi,

Status Updated from "Not Impacted/Not Exploitable" to "Under Review".

Version: 10.2.4.

WEB-INF/classes/log4j2.xml
WEB-INF/lib/log4j-api-2.13.2.jar
WEB-INF/lib/log4j-slf4j-impl-2.13.2.jar
WEB-INF/lib/log4j-core-2.13.2.jar
WEB-INF/lib/log4j-web-2.13.2.jar
Reply
marcus69
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 16
‎12-13-2021 11:39 PM

Re: LOG4J and MWG

Jump to solution

A new Release is being planned, presumably including a Hotfix:

2021-12-14 08_28_03-MWG-Log4j-Fix.jpg

See https://kc.mcafee.com/agent/index?page=content&id=SB10377

Best regards
   Marcus

P.S.: If you find this post helpful, thank You for giving it a Kudo :o)
Reply
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 5 of 16
‎12-14-2021 11:41 AM

Re: LOG4J and MWG

Jump to solution

Mitigation steps are only available to register McAfee customers.

0 Kudos
Reply
sodanieloliveir
Level 8
Report Inappropriate Content
Message 6 of 16
‎12-15-2021 06:49 AM

Re: LOG4J and MWG

Jump to solution
 

CorretionPrediction.jpg

 

0 Kudos
Reply
jacek
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 16
‎12-17-2021 12:02 AM

Re: LOG4J and MWG

Jump to solution
10.2.5 was released right now. You can update your system with 'yum update'.
Reply
luka_hajnrihar
Level 9
Report Inappropriate Content
Message 8 of 16
‎12-17-2021 12:04 AM

Re: LOG4J and MWG

Jump to solution

Wow thanks for the notification.
Where's the release article though or are you just surfing through repositories?

 

0 Kudos
Reply
jacek
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 16
‎12-17-2021 12:27 AM

Re: LOG4J and MWG

Jump to solution

Official release notes are still in progress. They should be posted in next 24h.

 

Info from yum update:

mwg.x86_64                    10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-config.x86_64             10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-mfetsc.x86_64             10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-release.noarch            10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base
mwg-ui.noarch                 10.2.5-39162.mlos3.mwg  mlos-main-gen_release-base

 

Reply
luka_hajnrihar
Level 9
Report Inappropriate Content
Message 10 of 16
‎12-17-2021 12:28 AM

Re: LOG4J and MWG

Jump to solution

Hi, yup

I've already pushed our lab machine to the patch.
Happy to see log4j 2.16.0 included.

 

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC