Contents
Advisory on CVE-2021-44228
This page relates to the Genesys Advisory detailed here: https://genesys.my.salesforce.com/articles/Product_Advisories/Apache-Log4j-2-Java-library
Please follow the mitigation steps below based on Workbench version.
Workbench 9.2.000.00, 9.1.100.00, 9.1.000.00, 9.0.100.00 and 9.0.000.00 (essentially all WB versions)
- First stop ALL Workbench Services
Workbench IO (Karaf)
The <WORKBENCH_INSTALL_DIRECTORY>/Karaf/etc/org.ops4j.pax.logging.cfg logging PatternLayout can be modified to specify the message converter as %m{nolookups} instead of just %m and %msg{nolookups} instead of just %msg:
From:
# Common pattern layout for appenders
log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n
log4j2.out.pattern = \u001b[90m%d{HH:mm:ss\.SSS}\u001b[0m %highlight{%-5level}{FATAL=${color.fatal}, ERROR=${color.error}, WARN=${color.warn}, INFO=${color.info}, DEBUG=${color.debug}, TRACE=${color.trace}} \u001b[90m[%t]\u001b[0m %msg%n%throwable
To:
# Common pattern layout for appenders
log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m{nolookups}%n
log4j2.out.pattern = \u001b[90m%d{HH:mm:ss\.SSS}\u001b[0m %highlight{%-5level}{FATAL=${color.fatal}, ERROR=${color.error}, WARN=${color.warn}, INFO=${color.info}, DEBUG=${color.debug}, TRACE=${color.trace}} \u001b[90m[%t]\u001b[0m %msg{nolookups}%n%throwable
and
From:
# Audit file appender
log4j2.appender.audit.layout.pattern = %m%n
To:
# Audit file appender
log4j2.appender.audit.layout.pattern = %m{nolookups}%n
Workbench ZooKeeper
The <WORKBENCH_INSTALL_DIRECTORY>/conf/log4j2.properties logging PatternLayout can be modified to specify the message converter as %m{nolookups} instead of just %m and %msg{nolookups} instead of just %msg:
From:
appender.console.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n
appender.file.layout.pattern=[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n
appender.rolling.layout.pattern = %d %p %C{1.} [%t] %m%n
To:
appender.console.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n
appender.file.layout.pattern=[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n
appender.rolling.layout.pattern = %d %p %C{1.} [%t] %m{nolookups}%n
Workbench Logstash
Remove (i.e. with a tool such as 7Zip) the JndiLookup class from the classpath - by executing the command:
- zip -q -d <WORKBENCH_INSTALL_DIRECTORY>/<LOGSTASH_HOME>/logstash-core/lib/jars/log4j-core-2.* org/apache/logging/log4j/core/lookup/JndiLookup.class
Workbench Elasticsearch
Elasticsearch 6 and 7 are not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager as per this Elastic link here: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476.
Workbench Agent 9.x
- Perform the Workbench Agent 9.x changes below on ALL Workbench Hosts and Anomaly Detection (AD) Hosts
In the <WORKBENCH_INSTALL_DIRECTORY>/WorkbenchAgent/log4j2.properties file, which is within the workbenchAgent.jar file, the logging PatternLayout can be modified to specify the message converter as %m{nolookups} instead of just %m and %msg{nolookups} instead of just %msg:
From:
appender.console.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n
appender.rolling.layout.pattern = %d %p %C{1.} [%t] %m%n
To:
appender.console.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg{nolookups}%n
appender.rolling.layout.pattern = %d %p %C{1.} [%t] %m{nolookups}%n
Workbench Kibana
Not impacted - no changes required.
Workbench Heartbeat
Not impacted - no changes required.
Workbench Metricbeat
Not impacted - no changes required.
Workbench Agent Remote (WAR)
Not impacted - no changes required.
- Finally once the above changes are completed, start ALL Workbench Services