jndilookup.class still appears in jar
win-admin-85 opened this issue · 1 comments
I was reviewing the Insights hotfix for 20.10.1 and the jar provided still appears to have the jndilookup.class (org/apache/logging/log4j/core/lookup/JndiLookup.class) within it. All official guidance has you removing that class. Can you please review and confirm the status of that jar (com.sisense.connectors.jdbc.UiFrost.jar)?
Hi,
As stated in the UiPath advisory and the readme.txt the java connector was upgraded to use a non-vulnerable version of log4j (2.16). The script provided by Sisense removes JndiLookup.class from jar's inside their program directory.
It also happens that since our connector is also under 'C:\Program Files\Sisense\DataConnectors\JVMContainer' the scripts provided by Sisense will also remove this class even though we are on a non-vulnerable version. If you have any concerns after following our documentation and running the scripts please let us know.
Thanks,
Chris