Log4j warning after installing COMSOL 6.3

问题描述

After installing COMSOL 6.3 my security scan gives a log4j warning pointing to

C:\Program Files\COMSOL\COMSOL63\Multiphysics\license\win64\lmadmin\examples\alerter\lib\log4j-core-2.17.0.jar

解决方法

COMSOL Version 6.3 is not vulnerable itself. The package you refer to belongs to a third-party tool, lmadmin, which is an alternate tool for license handling, and not used by default.

If you are not using lmadmin as the license handling tool on your computer, you can safely remove the entire lmadmin directory. If you are using lmadmin on your computer, you can instead remove the lmadmin\examples directory. However, if you are using the alerter functionality in lmadmin, you need to keep the directory and patch the log4j files according to the workaround found in the links in the next section

According to the developers of the license handling tool, lmadmin should not be vulnerable to this vulnerability. See Vulnerability: CVE-2021-44832 Log4j vulnerability impact on FlexNet Publisher and CVE-2021-44832 Log4j vulnerability impact on FlexNet Publisher for more information.

按类别浏览