Contents
Known Issues and Limitations
- If/when using GAX 9.0.103.08+ and LFMT 8.5.104 or above, ensure the respective GAX Application with LFMT Client Plug-in object, [lfmt]/use_lfm_extension=true option is set, so that .lfm files and not .zip (default as of 8.5.104) LFMT Package files are created and therefore downloadable via GAX; per GAX RN's GAX-11260 the GAX app now filters unnecessary .gz, .jar, .zip, and .rar API requests.)
- The LFMT Client requires the netty-3.2.3.Final.jar library in the <GAX Install Directory>/webapp/WEB-INF/lib folder to be renamed or deleted. This is applicable for GAX versions 8.5.220.20 and earlier.
- In a multisite environment, if one or more of the databases are down, the LFMT Client does not populate panes correctly.
- LFMT does not support changes to the GAX root URL.
CVE-2022-22965 vulnerability
- LFMT is deemed to be not impacted by the CVE-2022-22965 vulnerability.
log4j CVE-2021-44832 vulnerability
Important
- LFMT Package 8.5.104.13, released Feb 2022, now utilises log4j 2.17.1 - please upgrade to this LFMT release or later
- LFMT 8.5.101.xx+ is/was deemed NOT impacted by CVE-2021-44832
log4j CVE-2021-45105 vulnerability
Important
- LFMT Package 8.5.104.13, released Feb 2022, now utilises log4j 2.17.1 - please upgrade to this LFMT release or later
- LFMT 8.5.101.xx+ is/was deemed NOT impacted by CVE-2021-44832
LFMT Packages 8.5.101.xx to 8.5.104.10 - mitigation for the log4j CVE-2021-44228 vulnerability
Important
- LFMT Package 8.5.104.13, released Feb 2022, now utilises log4j 2.17.1 - please upgrade to this LFMT release or later
- LFMT 8.5.104.13 Package supports/requires GAX version 9.0.104.xx
- If your upgrade to the latest LFMT 8.5.104.13+ Package is delayed, in the meantime please follow the mitigation steps below
Important
- LFMT 8.5.104.12 Package, released 17th December 2021 supports log4j 2.16 and therefore avoids/remediates the mitigation steps below.
- LFMT 8.5.104.12 Package supports/requires GAX version 9.0.104.xx
- LFMT 8.5.104.11 Package, released 10th December 2021, supports log4j 2.16 but is restricted to GAX versions 9.0.100.52 to 9.0.103.xx
This page relates to the Genesys Advisory detailed here: https://genesys.my.salesforce.com/articles/Product_Advisories/Apache-Log4j-2-Java-library
Please follow the mitigation steps below in addition to the guidance in the Genesys Advisory above.
LFMT Collector
- Stop the LFMT Collector application(s)
- Run (i.e. with a tool such as 7Zip) the following command:
- zip -q -d <LFMT_COLLECTOR_INSTALL_LOCATION>/bin/lib/log4j-core-* org/apache/logging/log4j/core/lookup/JndiLookup.class
- Restart the LFMT Collector application(s)
LFMT Indexer
- Stop the LFMT Indexer application(s)
- Run (i.e. with a tool such as 7Zip) the following command:
- zip -q -d <LFMT_INDEXER_INSTALL_DIRECTORY>/bin/lib/log4j-core-* org/apache/logging/log4j/core/lookup/JndiLookup.class
- Restart the LFMT Indexer application(s)
LFMT Client
- Given that the LFMT Client is a GAX Plugin and GAX logging is used for the LFMT Client, please consult the GAX Release Notes/Documentation and/or raise a Genesys Support Case regarding GAX mitigation/remediation.
Workbench Agent 8.5
- Stop the Workbench Agent 8.5 application(s)
- Run (i.e. with a tool such as 7Zip) the following command:
- zip -q -d <WORKBENCH_AGENT_INSTALL_LOCATION>/lib/log4j-core-* org/apache/logging/log4j/core/lookup/JndiLookup.class
- Restart the Workbench Agent 8.5 application(s)
This page was last edited on April 13, 2022, at 13:39.
Comments or questions about this documentation? Contact us for support!