Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Apache Log4j high vulnerability (CVE-2021-45105) was recently published. Apache announced that Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups.

When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting

Resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. 

...

* It is very important to follow the steps in the order described below to complete the process successfully. The process is short and simple and is completed within minutes - deployment is similar to the software updates we occasionally release.

 

Upgrade/Update procedure

Prerequisites

·        This patch requires Java 1.8. Go to the System Status Console at PORTX > System > System Health and check the 'Java Version' under the 'System Information' section.

·        Ensure you have a valid V7 valid - Go to PORTX > Settings > License to verify. Contact us for additional information.

  • IMPORTANT: OS level Services (only for Linux deployments):
    In case you're running XPLG processes as services (Linux OS systemctl, init.d, systemd, etc.) follow the below steps, if not move to STEP I below.

    • Stop each of the XPLG instances services using systemctl/service command.

    • Start each instance manually ('sh /INSTALL_DIR/runXpoLog.sh start')

    • Proceed to upgrade procedure via GUI.

STEP I

Update Procedure main patch (via GUI)

...

  1. Download the update - XPLG Log4J Cleanup Patch (save it - do not extract).

  2. Open a browser to XpoLog and go to the Updates pages (PortX > System > About), click the 'publish patch', select the zip file that was downloaded at #1 and run.
    Note: if you're running a cluster, select to publish the patch to all listed nodes. 

  3. XPLG will automatically deploy the update, and restart - you should see a message indicating a successful deployment once done.

  4. Verify at PortX > System > About that the update is listed as as: 

Version: 7

Build: 1000

<DATE_OF_DEPLOY>

XpoLog Center 7 remove log4j Patch - December 2021

...

  • OS level Services (only for Linux deployments):
    In case you're running XPLG processes as services (Linux OS systemctl, init.d, systemd, etc.) follow the below steps.

    • Stop each of the XPLG instances manually ('sh /INSTALL_DIR/runXpoLog.sh stop')

    • Start all instances services using systemctl/service command.