7.8069 (Log4J) - Release Notes
Background
Apache Log4j high vulnerability (CVE-2021-45105) was recently published. Apache announced that Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups.
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup,
Resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.Â
The Apache Log4j 2 is an open-source Java package that allows developers to log activity within applications. More information is available here.
XPLG product suite impact
Recently we have published patch 8067 that migrates all used Log4j libraries within XPLG to Apache Log4j2 version 2.16.0.
Given Apache latest announcement, patch 8069 is now available to migrate all used libraries to Apache Log4j2 version 2.17.0.
This article guides you through the process of updating your XPLG environment with the latest security update. The procedure is performed in 2 steps:
Update environment with main patch - this patch will replace all necessary components in the product suite to use the latest Log4JÂ version 2.17.0.
Run a clean up of all other Log4J versions inside XPLG directories.
*Â It is very important to follow the steps in the order described below to complete the process successfully. The process is short and simple and is completed within minutes - deployment is similar to the software updates we occasionally release.
Upgrade/Update procedure
Prerequisites
·       This patch requires Java 1.8. Go to the System Status Console at PORTX > System > System Health and check the 'Java Version' under the 'System Information' section.
·       Ensure you have a valid V7 valid - Go to PORTX > Settings > License to verify. Contact us for additional information.
Â
IMPORTANT: OS level Services (only for Linux deployments):
In case you're running XPLG processes as services (Linux OS systemctl, init.d, systemd, etc.) follow the below steps, if not move to STEP I below.Stop each of the XPLG instances services using systemctl/service command.
Start each instance manually ('sh /INSTALL_DIR/runXpoLog.sh start')
Proceed to upgrade procedure via GUI.
STEP I
Update Procedure main patch (via GUI)
Download the update - XPLG Update Patch (save it - do not extract).
Apply a valid XPLG 7 license (if upgrading from an earlier version - PortX > Settings > License).
Open a browser to XpoLog and go to the Updates pages (PortX > System > About), click the 'publish patch', select the zip file that was downloaded at #1 and run.
Note: if you're running a cluster, select to publish the patch to all listed nodes.ÂXPLG will automatically deploy the update, and restart - you should see a message indicating a successful deployment once done.
Verify at PortX > System > About that the update is listed and the installed version is 7.8069
Note: if the patch is not listed or any other error is listed when verifying, please contact support@xplg.com
STEP II
Update Procedure Log4J cleanup patch (via GUI)
DO NOT PERFORM THIS STEP BEFORE COMPLETION AND VERIFICATION OF STEP I ABOVE
Download the update - XPLG Log4J Cleanup Patch (save it - do not extract).
Open a browser to XpoLog and go to the Updates pages (PortX > System > About), click the 'publish patch', select the zip file that was downloaded at #1 and run.
Note: if you're running a cluster, select to publish the patch to all listed nodes.ÂXPLG will automatically deploy the update, and restart - you should see a message indicating a successful deployment once done.
Verify at PortX > System > About that the update is listed as:Â
Version: 7 | Build: 1000 | <DATE_OF_DEPLOY> | XpoLog Center 7 remove log4j Patch - December 2021 |
Note: if the patch is not listed or any other error is listed when verifying, please contact support@xplg.com
Post Update Procedure
OS level Services (only for Linux deployments):
In case you're running XPLG processes as services (Linux OS systemctl, init.d, systemd, etc.) follow the below steps.Stop each of the XPLG instances manually ('sh /INSTALL_DIR/runXpoLog.sh stop')
Start all instances services using systemctl/service command.