Log4J Vulnerability (CVE-2021-45046)

Document revision

• Created: December 14, 2021
• Updated: December 16, 2021, offered Log4j 2.16 libraries
• Updated: December 20, 2021, offered Log4j 2.17 libraries
• Updated: December 22, 2021, Added same directory backup warning
• Updated: January 3, 2022, offered Log4j 2.17.1 libraries

What is the vulnerability?

The fix for CVE-2021-44228 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.

Is CostPerform impacted?

Very unlikely. We have checked the patterns that are used for logging, and only standard options are used. The vulnerable configuration options for Context Lookup and Thread Context Map are not used in our logging.

How do I mitigate this?

Unless you have changed the CostPerform logging configuration, it's very unlikely you need to mitigate this.

If you still feel you need to mitigate this, your options depend on your CostPerform version.

If you have CostPerform version 9.3.2 or higher

Since Apache Log4j is compiled with Java 11, you will need a Java 11 compatible installation of CostPerform. This is the case starting from CostPerform 9.3.2.

See: Upgrade the included Log4j

If you have CostPerform version 9.3.1.4 or lower

See: Remove all JNDILookup.class files.

In the following descriptions, %COSTPERFORM_HOME% points to the directory where CostPerform is installed.

Upgrade the included Log4j

This process involves opening several archives, some nested in other archives, and replace files from the archive.

This log4j-libraries are found in different archive files. In order to edit the archives you need a tool that can read nested archives, such as 7-zip. This will allow you to modify the enclosed archives, and have the parent archive automatically updated.

Read this whole description before attempting the modification!

Always create backups of deleted or modified files. Do NOT backup the .ear and other libraries in the same directory. This will cause them to deploy twice and cause errors. Keep backups OUTSIDE the installation directory!

1. Download the archive with the new Log4J libraries log4j-2.17.1.zip.
   It's advisable to use the provided zip-file. The libraries in the zipfile are the same as the official binaries from the Apache website, but they are signed with the CostPerform Code Certificate to validate integrity. You possibly could receive errors if you do the replacement with files directly from the Apache binaries. If that is the case, use the libraries from the zip file.
2. Unpack the archive from the previous step in a temporary directory.
3. The following files need replacing in the locations of step 4, 5 and 6:
   • - Replace log4j-api-2.*.*.jar with log4j-api-2.17.1.jar
   • - Replace log4j-core-2.*.*.jar with log4j-core-2.17.1.jar
   • - If it exists, replace log4j-jcl-2.*.*.jar with log4j-jcl-2.17.1.jar
   • - If it exists, replace log4j-slf4j-impl-2.*.*.jar with log4j-slf4j-impl-2.17.1.jar
   • - If it exists, replace log4j-web-2.*.*.jar with log4j-web-2.17.1.jar
4. Navigate to the location below and perform the replacements from step 3:
   • %COSTPERFORM_HOME%\lib\
5. Open the %COSTPERFORM_HOME%\server\webswing\webswing-server.war archive using 7zip, navigate to the location below and perform the replacements from step 3:
   • webswing-server.war → \WEB-INF\lib
6. Open the %COSTPERFORM_HOME%\server\deploy\cc.ear archive using 7zip, navigate to the locations below and perform the replacements from step 3:
   • cc.ear → \lib
   • cc.ear → portal.war → \lib
   • cc.ear → webswing-server.war → \WEB-INF\lib\
7. Select the old versions of Log4j files and delete them.
8. Drag-and-drop the new versions of Log4j files from the Windows Explorer to the location.
9. Close the archive. 7Zip will ask to update the archive and the nested archive. Confirm you want to update!

Remove all JNDILookup.class files

This process involves opening several archives, some nested in other archives, and deleting a specific class file from the archive.

This class file is found in four different archive files. In order to edit the archives you need a tool that can read nested archives, such as 7-zip. This will allow you to modify the enclosed archives, and have the parent archive automatically updated.

Read this whole description before attempting the modification!

Always create backups of deleted or modified files.

1. The file to delete is called org\apache\logging\log4j\core\lookup\JNDILookup.class and is found inside various archives.
2. This file is contained in the following library archives (An arrow → behind the file means it is a nested archive).
   • %COSTPERFORM_HOME%\lib\log4j-core-2.13.0.jar
   • %COSTPERFORM_HOME%\server\deploy\cc.ear → \lib\log4j-core-2.13.0.jar
   • %COSTPERFORM_HOME%\server\deploy\cc.ear → portal.war → \lib\log4j-core-2.13.0.jar
   • %COSTPERFORM_HOME%\server\deploy\cc.ear → webswing-server.war → \WEB-INF\lib\log4j-core-2.*.*.jar
   • %COSTPERFORM_HOME%\server\webswing\webswing-server.war → \WEB-INF\lib\log4j-core-2.*.*.jar
3. Repeat step 4 to 7 for each archive listed above
4. Navigate to the file listed in step 1.
5. Delete the file from the archive.
6. Close the archive.
7. 7Zip will ask to update the archive and the nested archive. Confirm you want to update!

What's next?

We will incorporate the fixes that Log4j will release into our next release.

More information

If you require more information please contact our Support line on +31 (0) 85 023 2114 or send an email to support@costperform.com.

Relevant Links

CVE-2021-45046 information

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Background information

https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

Apache Log4J home

https://logging.apache.org/log4j/2.x