Articles in this section

Log4j Vulnerability

Avatar
Jason Stevens
  • Updated
Follow

Updated 10 February 2022

The National Vulnerability Database has logged a vulnerability for packages using Apache Log4j, versions 2 through 2.14.1. Basis has audited our code and determined that the only products impacted are RNI Web Services, which is deprecated and Rosette Server, which doesn't log user input. Our Elasticsearch plugins support versions of Elasticsearch which are impacted. All other products which use log4j use version 1.2, so they are not affected.

More information on log4j can be found at: https://logging.apache.org/log4j/2.x/index.html

RNI Web Services

This vulnerability has been removed in RNI version 7.36.1.c65.0. It now uses the 2.17.1 version of log4j.

Note

These changes are only necessary for RNI Web Services customers. If you do not use the RNI Web Services component, no action is necessary. RNI Web Services is a deprecated component.

If you are using a previous version and using RNI Web Services, we recommend you take one of the following actions:

EITHER

  • Stop RNI Web Service, navigate to the bt_root/rlpnc/rws-names/lib/ directory, execute this command to remove the vulnerable code from the log4j jar files and restart the RNI Web Service

    zip -q -d log4j-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

OR

  • Uninstall RNI Web Services by deleting the rni-web services directory (rws-names). Disable any service/daemon running the web services.

Rosette Server

Rosette Server uses log4j but does not log the user input, We have removed the vulnerability in Rosette Server.

  • We upgraded log4j to version 2.16 in 1.20.1.

  • We upgraded log4j to version 2.17 in 1.20.2.

  • We upgraded log4j to version 2.17.1 in 1.20.3.

  • We released 1.20.4 to update RNI to the RNI 7.36.1.c65.0 root.

To patch earlier Rosette Server releases:

  • Edit the file server/conf/wrapper.conf and add the line:

    wrapper.java.additional.310=-Dlog4j2.formatMsgNoLookups=true

RNI-ES

  • We've released RNI-ES 7.10.2.5 from which the vulnerable version of log4j was removed.

  • We've released RNI-ES 7.15.2.0 from which the vulnerable version of log4j was removed.

  • We've released RNI-ES 7.16.2.0 to support Elasticsearch 7.16.2 which does not have the vulnerability.

RBL-ES

  • We've released RBL-ES 6.8.22.0 to support Elasticsearch 6.8.22 which does not have the vulnerability.

  • We've released RBL-ES 7.16.2.0 to support Elasticsearch 7.16.2 which does not have the vulnerability.

Related articles

Comments

0 comments

Article is closed for comments.





Powered by Zendesk