Beginning December 9, 2021, a number of critical security vulnerabilities have been disclosed by the Apache Log4j project. For more information, see https://logging.apache.org/log4j/2.x/.
LogicMonitor has conducted a methodical evaluation of our exposure to these vulnerabilities and determined that the LogicMonitor platform is not affected. While we are aware that recent versions of the LogicMonitor Collector include affected versions of the log4j component, the Collector architecture has been purposely designed to mitigate such vulnerabilities. Because of this, we are confident that the log4j vulnerabilities are not materially exploitable within our customers’ environments.
However, we strongly recommend that you upgrade to GD 31.003 which addresses the security vulnerabilities by updating to log4j 2.17.1. For instructions on how to upgrade a Collector, see Managing Collectors.
On January 20, 2022, all Collectors version 30.001 or earlier will be automatically upgraded to MGD 30.002, which also addresses the log4j vulnerabilities. No action is required ahead of this date. You may upgrade to MGD Collector 30.002 before January 20 or you may wait for the automatic upgrade to occur. For more information, see MGD Release Update.
Note: If you have Collectors in your environment on versions EA 30.100, EA 30.101, EA 30.102, EA 30.104, or GD 31.000, you will not be automatically upgraded on January 20, 2022 and must manually update to GD 31.003 to incorporate the log4j fixes.