ApplicationXtender and Xplore - Log4J Vulnerability
- Taylor Treece (Unlicensed)
Please see below communication from OpenText regarding ApplicationXtender and Xplore vulnerability to the Log4J exploit.
OpenText - ApplicationXtender and Xplore
I do know for a fact that ApplicationXtender core components are not affected since we do not use Apache web server and Java in our product suite. As you know, ApplicationXtender is only installed in IIS and using Windows Installers.
xPlore is not affected either because WildFly web server does not use the Log4j 2 either.
xPlore's installer bundled DFC version 20.4, doesn't use the log4j 2.x. it uses 1.x only, that is why in your find command, log4j 2.x didn't present.
Regarding, </opt/xplore/home/wildfly23.0.2/modules/system/layers/base/org/apache/logging/log4j/api/main/log4j-api-2.14.0.jar>
Wildfly bundles the log4j 2.x, but Wildfly bundles log4j api jar "log4j-api-2.14.0.jar" and this jar doesn't have impact. Officially in the twitter Wildfly confirmed the same.
https://twitter.com/WildFlyAS/status/1469362190536818688.”
Further update, the vulnerability doesn’t affect any current version of Xplore FT that works with AX.
CASO Knowledge Base