A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. Find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html

ManageEngine products bundled with vulnerable Log4j2:

Product nameJar version in bundled dependency
ADManager PlusV2.11.1
ADAudit PlusV2.10.0
DataSecurity PlusV2.10.0
EventLog AnalyzerV2.9.1
M365 Manager PlusV2.11.1
RecoveryManager PlusV2.11.1
Exchange Reporter PlusV2.11.1
Log360V2.9.1
Log360 UEBAV2.11.1
Cloud Security PlusV2.9.1

Please note that we have not identified any exploitable cases due to Log4j2 in the above products as we do not use Log4j directly for logging. But, some of the third parties we use bundle Log4j2 as a dependency. So as an additional safety measure, customers are instructed to apply the mitigation steps listed below:

  1. ADManager Plus 
  2. ADAudit Plus 
  3. DataSecurity Plus 
  4. EventLog Analyzer 
  5. M365 Manager Plus 
  6. RecoveryManager Plus
  7. Exchange Reporter Plus 
  8. Log360
  9. Log360 UEBA (steps detailed in comments of ManageEngine PitStop post here)
  10. Cloud Security Plus (steps detailed in comments of ManageEngine PitStop post here)

*** Other ManageEngine products that are not listed above are not impacted by this vulnerability ***

We are continuing to analyze the issue and will update this advisory if any new information becomes available.For any additional details or assistance, please contact security@manageengine.com

This article is relevant to:
ManageEngineSecurity Advisory

You may be interested in these other recent articles

Automation in ManageEngine ServiceDesk Plus

20 December 2021

Increasingly customers are looking to automate repetitive and mundane tasks in ServiceDesk Plus. Since the introduction of Deluge, Zoho’s online scripting language, as part of…

Read more

Who do I contact for technical support for my ManageEngine product?

10 September 2021

When purchasing a ManageEngine product it will either have been supplied on a subscription basis or it would have included an initial Annual Maintenance and…

Read more

Live Status Monitoring of the ManageEngine Cloud Services

3 September 2021

Live status monitoring of the ManageEngine Cloud Services in the EU data centre with details of any on-going service interruptions or incidents. Links below show…

Read more

ManageEngine Consultancy, ‘ManageEngine Made Better’

9 November 2020

There’s no doubting the capabilities of the ManageEngine suite of applications. Offering a host of solutions to meet a varied range of IT management, monitoring…

Read more

Cybersecurity? Just what is your weakest link?

4 November 2020

Information Technology is no longer the black art it once was. More and more individuals are able to access and utilise computer technology to improve…

Read more