Vulnerability in Apache Log4j
NOTE: Geneos components except those in the table, Capacity Planner, Cloud Cost Optimisation, OP5 Monitor and Uptrends areNOTaffected by this vulnerability. Copied
ITRS have identified the following products are impacted by Apache Log4J security vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307
Geneos Copied
Geneos GA5.12 is now available to download. This includes upgrade to log4j 2.17.1 to resolve security vulnerabilities CVE-2021-45046, CVE-2021-44228 CVE-2021-45105 and CVE-2021-44832 .
| Affected Geneos Components | Geneos versions | Log4j versions used | Remediation advice |
| Active Console and Web Dashboard | GA5.0.0 and older (including 4.x versions) | log4j 1.2.14 | · Does not use the affected log4j 2 versions · Not affected by CVE-2021-4104 (does not use JMSAppender) · We recommend upgrading to GA5.12 or newer at your convenience |
| GA5.1.0 to GA5.11.0 | log4j 2.12.1 | · Upgrade to Geneos version GA5.12 or newer · If you are unable to upgrade, see workaround below | |
| GA5.11.1 | log4j 2.15.0 | ||
| GA5.11.2 | log4j 2.16.0 | ||
| GA5.11.3 | log4j 2.17.0 | ||
| Terracotta Messaging Integration (UM98Monitor) | 2.0.231 and older | log4j 1.2.16 | · Does not use the affected log4j 2 versions · Not affected by CVE-2021-4104 (does not use JMSAppender) · We recommend upgrading to 2.0.236 or newer at your convenience |
| 2.0.232 | log4j 2.14.0 | · Upgrade to 2.0.236 or newer | |
| 2.0.233 | log4j 2.15.0 | · Upgrade to 2.0.236 or newer | |
| 2.0.234 | log4j 2.16.0 | · Upgrade to 2.0.236 or newer | |
| 2.0.235 | log4j 2.17.0 | · Upgrade to 2.0.236 or newer | |
| VMware Integration (VMWareMonitor) | 1.4.16 and older 1.4.17 | log4j 2.7.0 log4j 2.14.0 | · Upgrade to 1.4.21 or newer |
| 1.4.18 | log4j 2.15.0 | · Upgrade to 1.4.21 or newer | |
| 1.4.19 | log4j 2.16.0 | · Upgrade to 1.4.21 or newer | |
| 1.4.20 | log4j 2.17.0 | · Upgrade to 1.4.21 or newer | |
| Gateway Hub | 2.2.0 to 2.5.x | log4j 1.2.17 | · Does not use the affected log4j 2.x versions · Does not use any of the affected classes in log4j 1.x versions. However, the recommended mitigation is to remove the offending classes altogether from the log4j-1.2.17.jar artifact. See instructions below for more info. |
The following Geneos items are NOT affected
- Gateway
- Netprobe
- Collection Agent
- Collection Agent plugins
- Fix Analyser Netprobe
- Fix Analyser File Agent
- Web Slinger
- Licence Daemon
- SSO Agent
- Integrations (except Terracotta Messaging and VMware)
OP5 Copied
· OP5 Monitor is NOT affected by this vulnerability.
LogAnalytics Copied
· Versions 6.x and Version 7.x
Synthetic Monitoring Copied
· ZebraTester agents and Browser(BNet) agents
Solution Copied
Geneos Copied
ITRS has released a fixed version GA5.12 which is now available to download. This release includes updates to the following Geneos components to address the security vulnerabilities CVE-2021-45046, CVE-2021-44228 CVE-2021-45105 and CVE-2021-44832 .
- Active Console, version 5.12
- Web Dashboard, version 5.12
- Terracotta Messaging Integration, version 2.0.236
- VMWare Integration, version 1.4.21
We advise you upgrade to these latest version mentioned above. If you are unable to upgrade, please see workaround information below.
The following workarounds are available for Active Console and Web Dashboard versions 5.1.0 and newer. This can mitigate some attack pathsbut may be insufficient**, we recommend users to upgrade as soon as possible*. Note: the workaround is not applicable to Geneos GA5.0.0 and older using log4j 1.x versions.
-
Active Console
- Edit the “ActiveConsole.gci” file to add Dlog4j2.formatMsgNoLookups=truein the -jvmargs section and restart Active Console. For example:
#### The JVM to use and arguments -jvm .\JRE\bin\server\jvm.dll -jvmargs Xmx1024M XX:+HeapDumpOnOutOfMemoryError Ddocking.floatingContainerType=frame Dsun.java2d.d3d=false Dorg.quartz.threadPool.threadCount=1 Djava.endorsed.dirs=.\jars\endorsed Dfile.encoding=UTF-8 Dlog4j2.formatMsgNoLookups=true
Restart Active Console once the setting have been applied.
-
Web-Server / Web Dashboard
- Edit the “run” script or the “geneosws” script that starts up the JVM to add -Dlog4j2.formatMsgNoLookups=true and restart Web Dashboard. For example:
GWS_RUN_CMD="$JRE_BIN_PATH/java -XX:+UseConcMarkSweepGC -Xmx1024M -server -Dlog4j2.formatMsgNoLookups=true $HEADLESS $SECURITY_CONFIG $CONFIG $RESOURCES $JAVA_LIBRARY_PATH $LOG_PROPERTIES $PATH_FOR_LOG4J $JAVA_PROPS $SSO_PROPERTIES $BDO_FLAGS $JMX_FLAGS $DUMP_HEAP_ARGS $JAR_PATH $GWS_PORT $WEBAPPS $GWS_PORT $ENABLE_SSL &"
Gateway Hub Copied
The Gateway Hub installation includes both Kafka and Zookeeper services. These two services contain log4j-1.2.17 in their packaging. We are aware of the following vulnerabilities impacting log4j 1.x versions.
Gateway Hub does not use any of the affected classes in log4j. However, the recommended mitigation for the above vulnerabilities is to remove the offending classes altogether from the log4j-1.2.17.jar artifact.
- If you are running Gateway Hub 2.5.0 or older, you must remove classes: Chainsaw, JMSAppender and JMSSink
- If you are running Gateway Hub 2.5.1, the class Chainsaw is already removed, you must remove classes JMSAppender and JMSSink
Instructions for removing a class from the log4j-1.2.17.jar artifact:
- Stop Gateway Hub
hubctl stop <config_file>
-
On each node, navigate to the directory where log4j-1.2.17.jar file is located
- For Kafka, by default it is: /opt/hub/hub-current/services/kafka-2.12-2.8.1/kafka_2.12-2.8.1/libs
- For Zookeeper, by default it is: /opt/hub/hub-current/services/zookeeper-3.6.3/apache-zookeeper-3.6.3/lib
-
Run the following commands to remove the classes
zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSSink.class
zip -d log4j-1.2.17.jar org/apache/log4j/net/Chainsaw.class
- Start Gateway Hub
hubctl start <config_file>
LogAnalytics Copied
Execute the below script on your current installation of LogAnalytics:
Future upcoming versions of LogAnalytics will include the necessary changes and fixes.
Synthetic Monitoring Copied
- ZebraTester agents
- Replace the current log4j jars with up-to-date ones, found here:https://eu01.l.antigena.com/l/AUeBAcdmAvrywk8X0Fe1axPqXUSI2eArYv5kPPTXW9MpHAiyxPhPcMF_DrR9Ue0QtuZJtHReq2apJf-HYMNuKRqfeugX7ggB4AbGVhzyeE0a_KSJW6Gb3aJ-_965VmoYHT5bmo29J7E8lk2vgqpfNTtxu13A3~vD032LmY7Ejuc-bQOMA_V
- Linux location for these files:
- /opt/zebratester/embedded/log4j/log4j-api-2.11.0.jar
- /opt/zebratester/embedded/log4j/log4j-core-2.11.0.jar
- Windows location for these files:
- Under your Zebra Tester installation folder.
- Restart the ZebraTester service.
- Browser(BNet) agents
- If you are using version (7.6.3 with Chrome 55), no action is needed.
- If you are using version 8.1.x (chrome 74 only) you need to upgrade to a new version.
- Send us your agent’s OS flavor and we’ll provide links to the correct package.
- If you are using version 8.2.x and later (with Chrome 87),
- Replace the BNet jar located in /opt/asm-browser-agent/embedded/bnet-agent (Linux) with this one:
- https://apica-packages.s3.eu-central-1.amazonaws.com/current/bnet-agent/maven/com/apicasystem/bnet/BNetAgent/8.3.17-585/BNetAgent-8.3.17-585.jar.
- Restart the agent.