Background
XPLG update release includes new features, optimizations and bug fixes. This release also addresses Apache Log4j moderate vulnerability (CVE-2021-44832) that was recently published.
Apache announced that Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
The Apache Log4j 2 is an open-source Java package that allows developers to log activity within applications. More information is available here.
XPLG product suite impact
Recently we have published patch 8067 that migrates all used Log4j libraries within XPLG to Apache Log4j2 version 2.16.0. Following Apache later announcement, patch 8069 was released to migrate all used libraries to Apache Log4j2 version 2.17.0.
Following the latest Apache announcement, patch 8218 is now released to migrate all used libraries to Apache Log4j2 version 2.17.1 (latest patch includes all, if you haven’t updated yet please proceed only with the latest patch as detailed below).
Release Notes:
PortX
Data Forwarding - introducing a new console for data forwarding. Forward logs data from XPLG to other systems over Syslog, HTTP, CEF and more in real time.
Embedded JSON parser - additional plugins and enhanced capabilities to dynamically parse complex JSON objects.
Automatic encoding assignment for data listeners.
...
* It is very important to follow the steps in the order described below to complete the process successfully. The process is short and simple and is completed within minutes - deployment is similar to the software updates we occasionally release.
Upgrade/Update procedure
Prerequisites
· This patch requires Java 1.8. Go to the System Status Console at PORTX > System > System Health and check the 'Java Version' under the 'System Information' section.
...
Update Procedure Log4J cleanup patch (via GUI)
DO NOT PERFORM THIS STEP BEFORE COMPLETION AND VERIFICATION OF STEP I ABOVE
Download the update - XPLG Log4J Cleanup Patch (save it - do not extract).
Open a browser to XpoLog and go to the Updates pages (PortX > System > About), click the 'publish patch', select the zip file that was downloaded at #1 and run.
Note: if you're running a cluster, select to publish the patch to all listed nodes.XPLG will automatically deploy the update, and restart - you should see a message indicating a successful deployment once done.
Verify at PortX > System > About that the update is listed as:
...