CostPerform Security Patch Information

Log4J Vulnerability (CVE-2021-44228)
Log4j CVE Overview
CVE-2021-44228CVE-2021-45046CVE-2021-45105CVE-2021-44832
Document revision
  • Created: December 10, 2021
  • Updated: December 16, 2021, offered Log4j 2.16 libraries
  • Updated: December 20, 2021, offered Log4j 2.17 libraries
  • Updated: December 22, 2021, Added same directory backup warning
  • Updated: January 3, 2022, offered Log4j 2.17.1 libraries
What is the vulnerability?

Friday, December 10 2021, a zero-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Read this document carefully to see if you're impacted, and if yes, what to do.

Is CostPerform impacted?

Yes. The vulnerability is found in versions 2.0 to 2.14.1 of Apache Log4j. CostPerform latest version uses version 2.13.0 of Log4J, which is one of the affected versions.

How do I mitigate this?

It depends on your current CostPerform version.

If you have CostPerform version 9.3.2 or higher

See: Modify the startup options of the programs.

or

You could upgrade Log4j to the latest version (Log4j 2.17.1). See Upgrade Log4j

If you have CostPerform version 9.3.1.4 or lower

See: Modify the logging pattern

In the following descriptions, %COSTPERFORM_HOME% points to the directory where CostPerform is installed.

CostPerform version 9.3.2 or higher: Modify the startup options of the programs

Read this whole description before attempting the modification!

Always create backups of deleted or modified files. Do NOT backup files in the same directory. This might cause errors. Keep backups OUTSIDE the installation directory!

  1. Stop the server, service or client
  2. Open Windows Explorer
  3. Navigate to %COSTPERFORM_HOME%\bin
  4. Open the file cpjava9args.txt
  5. Insert a new line at the very top
  6. Paste this line as the first line: -Dlog4j2.formatMsgNoLookups=true
  7. Save the file
  8. Repeat steps 5-7 for the file %COSTPERFORM_HOME%\server\webswing\webswingargs.txt
CostPerform version 9.3.1.4 or lower: Modify the logging pattern

This procedure is valid for both servers and clients.

Read this whole description before attempting the modification!

Always create backups of deleted or modified files. Do NOT backup files in the same directory. This might cause errors. Keep backups OUTSIDE the installation directory!

  1. Stop the server, service or client
  2. Open Windows Explorer
  3. Navigate to %COSTPERFORM_HOME%\settings
  4. Open each XML file
  5. In each file, find all the occurrences of %m (There can be multiple occurrences of %m per file)
  6. Replace each occurrence with %m{literal}{nolookups}{/literal}
  7. Save the file.
What's next?

We will incorporate the fixes that Log4j will release into our next release.

More information

If you require more information please contact our Support line on +31 (0)347 355 027 or send an email to support@costperform.com.

Relevant Links
CVE-2021-44228 information
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Background information
https://www.lunasec.io/docs/blog/log4j-zero-day/
Pre-version 2.10 mitigation information
https://issues.apache.org/jira/browse/LOG4J2-2109
Apache Log4J home
https://logging.apache.org/log4j/2.x