Home > Cve 2021 45105

Log4J Vulnerability (CVE-2021-45105)

Log4j CVE Overview

Information about CVE-2021-44228

Information about CVE-2021-45046

Information about CVE-2021-45105

Information about CVE-2021-44832

Document revision

  • Created: December 20, 2021
  • Updated: December 22, 2021, Added same directory backup warning
  • Updated: January 3, 2022, offered Log4j 2.17.1 libraries

What is the vulnerability?

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Is CostPerform impacted?

Very unlikely. We have checked the patterns that are used for logging, and only standard options are used. The vulnerable configuration options for Thread Context Map are not used in our logging.

How do I mitigate this?

Unless you have changed the CostPerform logging configuration, it's very unlikely you need to mitigate this.

If you still feel you need to mitigate this, your options depend on your CostPerform version.

If you have CostPerform version 9.3.2 or higher

Since Apache Log4j is compiled with Java 11, you will need a Java 11 compatible installation of CostPerform. This is the case starting from CostPerform 9.3.2.

See: Upgrade the included Log4j

In the following descriptions, %COSTPERFORM_HOME% points to the directory where CostPerform is installed.

Upgrade the included Log4j

This process involves opening several archives, some nested in other archives, and replace files from the archive.

This log4j-libraries are found in different archive files. In order to edit the archives you need a tool that can read nested archives, such as 7-zip. This will allow you to modify the enclosed archives, and have the parent archive automatically updated.

Read this whole description before attempting the modification!

Always create backups of deleted or modified files. Do NOT backup the .ear and other libraries in the same directory. This will cause them to deploy twice and cause errors. Keep backups OUTSIDE the installation directory!

  1. Download the archive with the new Log4J libraries log4j-2.17.1.zip.
    It's advisable to use the provided zip-file. The libraries in the zipfile are the same as the official binaries from the Apache website, but they are signed with the CostPerform Code Certificate to validate integrity. You possibly could receive errors if you do the replacement with files directly from the Apache binaries. If that is the case, use the libraries from the zip file.
  2. Unpack the archive from the previous step in a temporary directory.
  3. The following files need replacing in the locations of step 4, 5 and 6:
    • - Replace log4j-api-2.*.*.jar with log4j-api-2.17.1.jar
    • - Replace log4j-core-2.*.*.jar with log4j-core-2.17.1.jar
    • - If it exists, replace log4j-jcl-2.*.*.jar with log4j-jcl-2.17.1.jar
    • - If it exists, replace log4j-slf4j-impl-2.*.*.jar with log4j-slf4j-impl-2.17.1.jar
    • - If it exists, replace log4j-web-2.*.*.jar with log4j-web-2.17.1.jar
  4. Navigate to the location below and perform the replacements from step 3:
    • %COSTPERFORM_HOME%\lib\
  5. Open the %COSTPERFORM_HOME%\server\webswing\webswing-server.war archive using 7zip, navigate to the location below and perform the replacements from step 3:
    • webswing-server.war → \WEB-INF\lib
  6. Open the %COSTPERFORM_HOME%\server\deploy\cc.ear archive using 7zip, navigate to the locations below and perform the replacements from step 3:
    • cc.ear → \lib
    • cc.ear → portal.war → \lib
    • cc.ear → webswing-server.war → \WEB-INF\lib\
  7. Select the old versions of Log4j files and delete them.
  8. Drag-and-drop the new versions of Log4j files from the Windows Explorer to the location.
  9. Close the archive. 7Zip will ask to update the archive and the nested archive. Confirm you want to update!

What's next?

We will incorporate the fixes that Log4j will release into our next release.

More information

If you require more information please contact our Support line on +31 (0) 85 023 2114 or send an email to support@costperform.com.

Relevant Links

CVE-2021-45105 information
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Background information
https://fossa.com/blog/how-fix-new-log4j-dos-vulnerability-cve-2021-45105/
Apache Log4J home
https://logging.apache.org/log4j/2.x

Ⓒ CostPerform 2024 | Privacy Policy | Terms of Use