Home > Cve 2021 44228

Log4J Vulnerability (CVE-2021-44228)

Log4j CVE Overview

Information about CVE-2021-44228

Information about CVE-2021-45046

Information about CVE-2021-45105

Information about CVE-2021-44832

Document revision

  • Created: December 10, 2021
  • Updated: December 16, 2021, offered Log4j 2.16 libraries
  • Updated: December 20, 2021, offered Log4j 2.17 libraries
  • Updated: December 22, 2021, Added same directory backup warning
  • Updated: January 3, 2022, offered Log4j 2.17.1 libraries

What is the vulnerability?

Friday, December 10 2021, a zero-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Read this document carefully to see if you're impacted, and if yes, what to do.

Is CostPerform impacted?

Yes. The vulnerability is found in versions 2.0 to 2.14.1 of Apache Log4j. CostPerform latest version uses version 2.13.0 of Log4J, which is one of the affected versions.

How do I mitigate this?

It depends on your current CostPerform version.

If you have CostPerform version 9.3.2 or higher

See: Modify the startup options of the programs.

or

You could upgrade Log4j to the latest version (Log4j 2.17.1). See Upgrade Log4j

If you have CostPerform version 9.3.1.4 or lower

See: Modify the logging pattern

In the following descriptions, %COSTPERFORM_HOME% points to the directory where CostPerform is installed.

CostPerform version 9.3.2 or higher: Modify the startup options of the programs

Read this whole description before attempting the modification!

Always create backups of deleted or modified files. Do NOT backup files in the same directory. This might cause errors. Keep backups OUTSIDE the installation directory!

  1. Stop the server, service or client
  2. Open Windows Explorer
  3. Navigate to %COSTPERFORM_HOME%\bin
  4. Open the file cpjava9args.txt
  5. Insert a new line at the very top
  6. Paste this line as the first line: 
    -Dlog4j2.formatMsgNoLookups=true
  7. Save the file
  8. Repeat steps 5-7 for the file %COSTPERFORM_HOME%\server\webswing\webswingargs.txt

CostPerform version 9.3.1.4 or lower: Modify the logging pattern

This procedure is valid for both servers and clients.

Read this whole description before attempting the modification!

Always create backups of deleted or modified files. Do NOT backup files in the same directory. This might cause errors. Keep backups OUTSIDE the installation directory!

  1. Stop the server, service or client
  2. Open Windows Explorer
  3. Navigate to %COSTPERFORM_HOME%\settings
  4. Open each XML file
  5. In each file, find all the occurrences of %m (There can be multiple occurrences of %m per file)
  6. Replace each occurrence with %m{nolookups}
  7. Save the file.

What's next?

We will incorporate the fixes that Log4j will release into our next release.

More information

If you require more information please contact our Support line on +31 (0) 85 023 2114 or send an email to support@costperform.com.

Relevant Links

CVE-2021-44228 information
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Background information
https://www.lunasec.io/docs/blog/log4j-zero-day/
Pre-version 2.10 mitigation information
https://issues.apache.org/jira/browse/LOG4J2-2109
Apache Log4J home
https://logging.apache.org/log4j/2.x

Ⓒ CostPerform 2024 | Privacy Policy | Terms of Use