Log4j jar in testproject agent?

I have followed this thread log4j-zero-day-vulnerability but,
Log4j jar detected in testproject agent in an internal scan.
Can you help address this?

Hello @krishnac,

TestProject does not use Log4j2 (the one you’ve mentioned is a 1.x version) and thus it’s determined that TestProject is not impacted by the Log4j2 vulnerability.

For the official confirmation, please read the following statement by our parent company Tricentis: Post - Tricentis Support

Have a great day,
Karen

To clarify a little bit more… The problem is not a .jar as a whole, but vulnerability inside log4j.jar. And vulnerability here lies within JndiLookup.class, which is not in log4j v.1.

For everyone using Windows OS use Powershell with this script, which searches all jar libraries for this class:
gci ‘C:’ -rec -force -include *.jar -ea 0 | foreach {select-string “JndiLookup.class” $_} | select -exp Path

Very important note: This class can be found in other .jar files also which may be part of log4j library.

If anything is found, then you have vulnerable log4j library. If not… Then you are on the safe side.

Hi,

Bit of a technical question maybe, but what would happen if i were to simply remove the log4j-1.2.13.jar from the lib directory? Would the agent still work, but without logging?

Hi @here,
You can remove the log4j jar file from the library and it shouldn’t affect the agent operation.

To remove the jar:

  1. Stop the Agent.
  2. Locate the jar file inside the Agent installation folder under the app/lib/ folder/
  3. Delete the jar.
  4. Start the Agent.

If you encounter any issue feel free to reach out :slight_smile:

This topic was automatically closed after 180 days. New replies are no longer allowed.