We have security compliance issue with the presence of log4j-core-2.3.jar. It is bundled with Kony 7. Please refer to CVE-2017-5645 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5645

anon-10 · April 9, 2019, 9:07pm

This thread was migrated from an old forum. It may contain information that are no longer valid. For further assistance, please post a new question or open a support ticket from the Customer Support portal.

Looks like Kony 7 is integrated with log4j 2.3 and cannot be upgraded. When we try to upgrade to log4j 2.11.2, we are facing the below issue. Please confirm if it can be upgraded to the latest jar which has no security vulnerabilities.

15:12:51,989 INFO [stdout] (ServerService Thread Pool -- 193) 2019-04-03 15:12:51,989 ServerService Thread Pool -- 193 ERROR Unable to invoke factory method in class com.kony.mobilefabric.logger.CustomRollingFileAppender for element CustomRollingFile: java.lang.NoSuchMethodError: org.apache.logging.log4j.core.appender.rolling.RollingFileManager.getFileManager(Ljava/lang/String;Ljava/lang/String;ZZLorg/apache/logging/log4j/core/appender/rolling/TriggeringPolicy;Lorg/apache/logging/log4j/core/appender/rolling/RolloverStrategy;Ljava/lang/String;Lorg/apache/logging/log4j/core/Layout;I)Lorg/apache/logging/log4j/core/appender/rolling/RollingFileManager; java.lang.reflect.InvocationTargetException

anon-11 · April 10, 2019, 12:33am

@Mvx Slvtew @Lvuwen Pipew is this something you can help with?

anon-11 · May 2, 2019, 10:27pm

Do we have any update on this? Can you please let us know a way of upgrading the log4j jars?

anon-11 · May 3, 2019, 10:40pm

Hi @Regvn Goddvwd ,

You can't directly upgrade log4j jars inside wars as this requires code changes. We have upgraded log4j jars to version 2.8.2 in V8 SP2 release.