Feedback
Did this article resolve your question/issue?

   

Article

Is WhatsUp Gold vulnerable to Log4j?

« Go Back

Information

 
TitleIs WhatsUp Gold vulnerable to Log4j?
URL NameIs-WhatsUp-Gold-vulnerable-to-CVE-2021-44228-Log4j
Article Number000206959
Information
WhatsUp Gold customers who are not licensed for Log Management and have not installed Elasticsearch are NOT impacted.

The Log Management add-on uses Elasticsearch as its datastore. Elasticsearch uses log4j and in response to this reported vulnerability, they have evaluated their product and provided guidance that they are not impacted. Please go 
here to see their communication. In general, we recommend that customers review all third party products and integrations for security best practices. 



Update: December 20th

Further Clarification:

Multiple CVE’s have been reported for Log4j. See ‘Additional Information’ for more details on these CVE’s.

WhatsUp Gold proper is not susceptible to Log4j vulnerabilities. One of our add-ons (Log Management) uses Elasticsearch as a data store.  If you are not licensed for and have not installed this plugin Elasticsearch will not be installed on the WUG server.

If you have the Log Management plugin, during install a choice is given.

 
  • Choice one (recommended) is to connect to a full Elasticsearch server that you own. In this instance you should review said systems Elasticsearch version and refer to Elastics statement linked above.
 
  • Choice two is to install an open source Elasticsearch locally. In this case the following guidance is as follows:


Log Management ships with Elasticsearch 7.6.1 and Java 13.0.2.


Elastic has reaffirmed these versions are not susceptible to CVE-2021-44228, and no changes are required to mitigate the vulnerability. We will continue to monitor threats that relate to this vulnerability and provide recommended guidance from Elastic as new information becomes available.

The following KB details how you can identify the version of Elasticsearch that is installed: 
What Version of Elasticsearch Do I have Installed?





References: 
 
Additional Information
For additional information on this vulnerability as it relates to other Progress products, refer to the Progress Security Center: https://www.progress.com/security
EnvironmentWhatsUp Gold
Last Modified Date1/10/2022 8:36 PM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.