...
Apache Log4j high vulnerability (CVE-2021-45105) was recently published. Apache announced that Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups.
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting
Resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
...
* It is very important to follow the steps in the order described below to complete the process successfully. The process is short and simple and is completed within minutes - deployment is similar to the software updates we occasionally release.
Upgrade/Update procedure
Prerequisites
· This patch requires Java 1.8. Go to the System Status Console at PORTX > System > System Health and check the 'Java Version' under the 'System Information' section.
· Ensure you have a valid V7 valid - Go to PORTX > Settings > License to verify. Contact us for additional information.
IMPORTANT: OS level Services (only for Linux deployments):
In case you're running XPLG processes as services (Linux OS systemctl, init.d, systemd, etc.) follow the below steps, if not move to STEP I below.Stop each of the XPLG instances services using systemctl/service command.
Start each instance manually ('sh /INSTALL_DIR/runXpoLog.sh start')
Proceed to upgrade procedure via GUI.
STEP I
Update Procedure main patch (via GUI)
...
Download the update - XPLG Log4J Cleanup Patch (save it - do not extract).
Open a browser to XpoLog and go to the Updates pages (PortX > System > About), click the 'publish patch', select the zip file that was downloaded at #1 and run.
Note: if you're running a cluster, select to publish the patch to all listed nodes.XPLG will automatically deploy the update, and restart - you should see a message indicating a successful deployment once done.
Verify at PortX > System > About that the update is listed as as:
Version: 7 | Build: 1000 | <DATE_OF_DEPLOY> | XpoLog Center 7 remove log4j Patch - December 2021 |
...
OS level Services (only for Linux deployments):
In case you're running XPLG processes as services (Linux OS systemctl, init.d, systemd, etc.) follow the below steps.Stop each of the XPLG instances manually ('sh /INSTALL_DIR/runXpoLog.sh stop')
Start all instances services using systemctl/service command.