CVE-2021-45046 and Orion 2020.2.6 hotfix 3

Question

Has anyone tried to upgrade from Orion Platform 2020.2.4 to Orion Platform 2020.2.6 and then replace the log4j file?

The code released on Dec 20th, has Apache log4j 2.16.0 which was also considered vulnerable under CVE-2021-45046. CISA's recommendation is to upgrade to log4j 2.17.1.

Any key learnings?

Also do we know when is Hotfix 4 coming out?

stevenstadel · Answer

Upgraded to log4j 2.17.1 manually per SolarWinds instructions without issues. As of Dec 28th SAM is tested up to 2.17.1 Server & Application Monitor (SAM) and the Apache Log4j Vulnerabilities: CVE-2021-44228, CVE-2021-45046, and CVE-2021-4104 (solarwinds.com)