Ethan Magnet
Log4J Security Advisory for RiskSuite
Information for SHS Viveon RiskSuite Customers
Affected products
The table below lists all products which contain Log4j versions between 2 and 2.14.1. These versions are therefore potentially affected by the vulnerability described under CVE-2021-44228.
Patches
For RiskSuite and the Docker Image, PatchSet 6.5.14 has been released. The PatchSet upgrades the Log4j library to a higher version. For GenYOS, version 2.10 is available. Releases for SimCo and Analytics are currently in progress.
Besides the PatchSets, the below mentioned mitigation approaches can be applied.
Mitigation approaches
There are several mitigation approaches recommended by institutions like the NIST (CVE-2021-44228). Based on these recommendations, the following points provide a guideline to assist mitigating the vulnerability. Please note that not all approaches have been tested yet.
RiskSuite (6.5.3 and higher) under RedHat EAP
Option A: Setting the system property “log4j2.formatMsgNoLookups” to “true”
Set the Java system property “log4j2.formatMsgNoLookup” to “true” in the application server by executing the following steps. If RiskSuite is installed in a cluster, these steps should be applied for each cluster node.
1. Edit the script EAP_HOME/setEnv.bat on Windows or EAP_HOME/setEnv.sh on Linux
2. Locate the script variable RISKSUITE_JAVA_OPTS
3. Set the Java system property “log4j2.formatMsgNoLookup” to “true” in this variable
Example (Windows):
Before:
SET “RISKSUITE_JAVA_OPTS=-Xmx4G -XX:MaxMetaspaceSize=512m -XX:+UseParallelOldGC”
After:
SET “RISKSUITE_JAVA_OPTS=-Xmx4G -XX:MaxMetaspaceSize=512m -XX:+UseParallelOldGC -Dlog4j2.formatMsgNoLookups=true”
4. Save the script
5. Restart the RiskSuite Application Server
6. Check if the property was set:
Look in the EAP_HOME/standalone/log/server.log
Look for the log line that logs all system properties:
13.12.2021 10:59:46,717 DEBUG [org.jboss.as.config] (MSC service thread 1-8) Konfigurierte System-Properties:
[…]
log4j2.formatMsgNoLookups = true
[…]
7. Assure that the property “log4j2.formatMsgNoLookups” is set to “true”.
Option B: Removing the “JndiLookup” class
If RiskSuite is installed in a cluster, these steps should be applied for each cluster node.
1. Stop the application server
2. Remove the “JndiLookup” class from the log4j jar file by executing the following command. Replace the EAP_HOME placeholder in the command with the path to the JBoss EAP home folder:
zip -q -d EAP_HOME/modules/net/guardean/shared/main/log4j-core-2.11.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Start the application server
Option C: Upgrade Log4j to 2.17.0 (not tested)
If RiskSuite is installed in a cluster, these steps should be applied for each cluster node.
1. Download the log4j 2.17.0 from https://logging.apache.org/log4j/2.x/download.html
2. On Windows: download the file https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip
3. On Linux: download the file https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz
4. Unpack the ZIP
5. Stop the application server
6. Replace the log4j libraries in the application server in EAP_HOME/modules/net/guardean/shared/main
7. Replace log4j-api-2.11.2.jar with log4j-api-2.17.0.jar from the downloaded ZIP
8. Replace log4j-core-2.11.2.jar with log4j-core-2.17.0.jar from the downloaded ZIP
9. Edit the EAP_HOME/modules/net/guardean/shared/main/module.xml
10. Replace the string “log4j-core-2.11.2.jar” with “log4j-api-2.17.0.jar”
11. Replace teh string “log4j-core-2.11.2.jar” with “log4j-core-2.17.0.jar”
12. Start the application server
RiskSuite (6.5.3 and higher) under Oracle Weblogic
Option A: Setting the system property “log4j2.formatMsgNoLookups” to “true”
Set the Java system property “log4j2.formatMsgNoLookup” to “true” in the application server by executing the following steps. If RiskSuite is installed in a cluster, these steps should be applied for each cluster node.
1. Edit the script DOMAIN_HOME/setEnv.bat on Windows or DOMAIN_HOME/setEnv.sh on Linux
2. Locate the script variable RISKSUITE_JAVA_OPTS
3. Set the Java system property “log4j2.formatMsgNoLookup” to “true” in this variable
Example (Windows):
Before:
SET “RISKSUITE_JAVA_OPTS=-Xmx4G -XX:MaxMetaspaceSize=512m -XX:+UseParallelOldGC”
After:
SET “RISKSUITE_JAVA_OPTS=-Xmx4G -XX:MaxMetaspaceSize=512m -XX:+UseParallelOldGC -Dlog4j2.formatMsgNoLookups=true”
4. Save the script
5. Restart the RiskSuite WebLogic domain
6. Check if the property was set:
Execute the following command, replacing <PID> with the Java process ID of the Weblogic domain:
JAVA_HOME/bin/jcmd <PID> VM.system_properties
This command lists all system properties of the Java process
7. Assure that the property “log4j2.formatMsgNoLookups” is set to “true”
Option B: Removing the “JndiLookup” class
If RiskSuite is installed in a cluster, these steps should be applied for each cluster node.
1. Stop the Weblogic domain
2. Remove the “JndiLookup” class from the log4j jar file by executing the following command. Replace the DOMAIN_HOME placeholder in the command with the path to the Weblogic domain folder:
zip -q -d DOMAIN_HOME/lib/log4j-core-2.11.2.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Start the Weblogic domain
Option C: Upgrade Log4j to 2.17.0 (not tested)
If RiskSuite is installed in a cluster, these steps should be applied for each cluster node.
1. Download the log4j 2.17.0 from https://logging.apache.org/log4j/2.x/download.html
2. On windows: download the file https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip
3. On Linux: download the file https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.tar.gz
4. Unpack the ZIP
5. Replace the log4j libraries in the application server in DOMAIN_HOME/lib
6. Replace log4j-api-2.11.2.jar with log4j-api-2.17.0.jar from the downloaded ZIP
7. Replace log4j-core-2.11.2.jar with log4j-core-2.17.0.jar from the downloaded ZIP
8. Start the Weblogic domain
RiskSuite Docker Image (6.5.3 and higher)
Option A: Setting the system property “log4j2.formatMsgNoLookups” to “true”
If RiskSuite is installed in a cluster, these steps should be applied for each cluster node.
1. Edit the risksuite.env file
2. Locate the script variable RISKSUITE_JAVA_OPTS
3. Set the Java system property “log4j2.formatMsgNoLookup” to “true” in this variable
Example:
Before:
RISKSUITE_JAVA_OPTS=-Xmx2G -XX:+UseParallelOldGC -Djava.net.preferIPv4Stack=true
After:
RISKSUITE_JAVA_OPTS=-Xmx2G -XX:+UseParallelOldGC -Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true
4. Restart the docker container
SimCo (2.0 – 4.0) / Not Tested
1. Set the Java system property “-Dlog4j2.formatMsgNoLookups=true” in the hosting application server. If SimCo runs on RedHat EAP or Oracle Weblogic, please refer to the above mentioned points RiskSuite under RedHat EAP or RiskSuite under Oracle Weblogic. If SimCo runs on another application server, please refer to the respective provider documentation.
2. Stop Elasticsearch
3. Apply the Java system property
4. Edit the file elasticsearch/config/jvm.options
5. Find the section “# log4j”
6. Add the line “-Dlog4j2.formatMsgNoLookups=true” – without the quote character.
7. Remove the affected JndiLookup class by executing the following command:
zip -q -d <ELASTICSEARCH_HOME>/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
8. Start Elasticsearch
GenYOS (2.8 – 2.9)
1. Set the Java system property “-Dlog4j2.formatMsgNoLookups=true” in the hosting application server. If GenYOS runs on RedHat EAP or Oracle Weblogic, please refer to the above mentioned points RiskSuite under RedHat EAP or RiskSuite under Oracle Weblogic. If GenYOS runs on another application server, please refer to the respective provider documentation.
2. Remove the “log4j-api-2.7.jar” and “log4j-core-2.7.jar” files from the “genyos.war” file by executing the following commands:
zip -q -d genyos.war WEB-INF/lib/log4j-api-2.7.jar
zip -q -d genyos.war WEB-INF/lib/log4j-core-2.7.jar
Analytics (3.0 – 5.0) / Not Tested
ElasticSearch:
1. Stop ElasticSearch.
2. Set the Java system property “-Dlog4j2.formatMsgNoLookups=true”
3. Edit the file elasticsearch/config/jvm.options
4. Find the section “# log4j” and add the line “-Dlog4j2.formatMsgNoLookups=true” – without the quote character to the section
5. Remove the affected JndiLookup class by executing the following command:
zip -q -d <ELASTICSEARCH_HOME>/lib/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
6. Start ElasticSearch
Logstash:
1. Stop Logstash
2. Set the Java system property “-Dlog4j2.formatMsgNoLookups=true”
3. Edit the file {{<LOGSTASH_HOME>/}}start.bat
4. Add the line “SET LS_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true” before the last “call” line – without the quote character
5. Remove the affected JndiLookup class by executing the following command:
zip -q -d <LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
6. Start Logstash
Solr
Apache Solr is not a SHS Viveon product. However, it is used with RiskSuite’s Cloud Search Service 2. RiskSuite currently supports Apache Solr 5.4.0 under JRE 1.8.
For vulnerabilities and mitigation solutions please consult the Apache Solr Security News: https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228.