Wednesday, 22 December 2021

CVE-2021-44228 Apache Log4j Remote Code Execution Vulnerability

 

CVE-2021-44228 Apache Log4j Remote Code Execution Vulnerability

·         Apache reported that CVE-2021-44228 applies only to Log4j versions 2.0-2.14.1, and does not apply to Log4j versions 1.x.

·         Apache reported that CVE-2021-45046 applies only to Log4j versions 2.0-2.15, and does not apply to Log4j versions 1.x

However, Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. So it is recommended to upgrade to latest Log4J version 2.

Log4j 2.x mitigation

Implement one of the following mitigation techniques:

·         Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).

·         Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Reference

<< https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>

 

Following are the steps for Upgrading the log4j*.jar for Java version 8.


If you have any other version of java, download the needed log4j version accordingly from << https://logging.apache.org/log4j/2.x/download.html >>


Step 1

Backup the log4j-1.2.15 from Below Location under Apache Tomcat folder.


 

 

Step 2

Once you took backup

è Stop apache tomcat service


 

 

è Remove the  log4j-1.2.15 from the location < remove – don’t rename >


 

è Copy the provided jars 1 & 2 to the location under Apache tomcat WEB-INF/lib

 

 


 

è Start Apache tomcat service


 

è Test Jasper Reports

§  Jasper Reports should work successfully.

 

 

STEP 3 - < to be followed only if JASPER REPORTS failed to run, after performing action plan till step 2 >

è After copying jars 1 & 2 mentioned above, you might face issue of Jasper not running as per below screenshot.


 

o   Stop Apache Service

 

o   Copy the third jar provided


o   Start Apache Service

 

o   Jasper Works successfully


 

 

ROLLBACK PLAN – If neither of the above succeeds

è Stop apache tomcat service

è Remove the newly copied jars

è Copy the original jar from backup to original location under apache tomcat

è Start apache tomcat service

 

 

 

Thank you !

No comments:

Post a Comment