Oxygen XML Patch Tool for Apache Log4j vulnerability CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105
This is a tool that updates the log4j version 2 library to version 2.17.1 in an:
- Oxygen XML Editor/Author/Developer standalone installation, or
- Oxygen XML Editor/Author/Developer plugin for Eclipse installation, or
- Oxygen PDF Chemistry installation, or
- Oxygen Publishing Engine installation, or
- Oxygen XML Web Author for «all platforms» installation
The recommended Oxygen versions to apply this tool on range from 16.1 to 24.0 inclusive.
For newer Oxygen versions, like 22.1, 23.1 or 24.0 there are kits available on the Oxygen website that contain the log4j 2.16 library (resolves CVE-2021-44228 and CVE-2021-45046), at https://www.oxygenxml.com/software_archive.html and https://www.oxygenxml.com/download.html respectively.
It will not work for Web Author or Content Fusion. For these please see the security advisory at https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html to determine the appropriate action. For Oxygen XML Content Fusion you should use this script: https://github.com/oxygenxml/content-fusion-log4j-patcher
Download
You can download the tool directly from GitHub, using this link.
https://github.com/oxygenxml/oxygen-log4j-patcher/archive/refs/heads/main.zip
Unzip it to a directory of your choice. Keep track of the directory where you have unzipped the file.
How to apply it
On Windows:
- Make sure the Oxygen application is closed.
- Start a «Command Prompt» window with administrative privileges. For this press the «Start» button, type
cmd, then choose «Run as administrator» from the menu. - Change directory to the directory of the ‘patch.bat’ file. For example, if you extracted the archive in your ‘Downloads’ folder, type
cd %USERPROFILE%/Downloads/oxygen-log4j-patcher-mainin the «Command Prompt» window and press ENTER. - Type
patch.batin the «Command Prompt» window and press ENTER. - Follow the instructions given by the script.
On Mac:
- Make sure you run as an user with administrator privileges.
- Change directory to the directory of the ‘patch.sh’ file. (
cd /Users/user/Downloads/oxygen-log4j-patcher-mainfor instance ) - Type
sh patch.shin the terminal and press ENTER. - Follow the instructions given by the script.
On Linux:
- If the Oxygen application has been installed as a superuser, then type in a terminal: «sudo -s» in order to open a terminal with enough rights.
- Change directory to the directory of the ‘patch.sh’ file. (
cd ~/Downloads/oxygen-log4j-patcher-mainfor instance ) - Type
sh patch.shin the terminal and press ENTER. - Follow the instructions given by the script.
Limitations:
- For Oxygen XML Web Author, the patch won’t affect custom data directory and custom DITA-OT directory if they are out of the installation directory.
The security game is complex, and it’s a hard one to play and get right. The unfortunate reality is that the good guys have to be right consistently, whereas the bad guys only have to be right once. A prime example of this complex game is Log4j.
Chances are, you either have extensive knowledge of it or have at least heard about Log4j. Log4j is the latest in a line of extremely versatile vulnerabilities with widespread susceptibility. Log4j is an open-source logging library, or mechanism, that Java uses. This allows apache to log all java actives from fatal errors, splitting logs, security events, etc.
The latest vulnerability in it was discovered around December 10th, 2021. The vulnerability allows hackers to execute remote code on vulnerable assets. Remote code execution involves hackers sending syntax URL strings to the vulnerable asset that allows them to run a multitude of backend commands on the server. The start of this vulnerability saw hackers installing crypto miners on assets. It quickly evolved into installation of ransomware and now has gone even further to allow extraction of data such as usernames, passwords and credit card data.
Over 58% of organizations are still using vulnerable versions of Log4j. The staggering statistic is 40% of users are still downloading vulnerable Log4j versions of apache software. When we look at the history of similar vulnerabilities such as WannaCry/EternalBlue, we will be dealing and responding to this vulnerability for years to come. This lasting impact makes it imperative to get ahead of this and address it ASAP. There are a couple of methods to fight this.
The first, most straight forward way is to not run the vulnerable versions of Log4j. This means patching if you are currently running the software. Due to the complex nature of workloads, this approach is unfortunately not always feasible immediately because of the possible impact to other assets that are running the workload.
This means possibly having a bifurcated approach to fighting this vulnerability. I have provided detailed instructions below on how to patch to newer version of Log4j that isn’t vulnerable. However, due to possible workload impacts, it’s important to understand what other possible workload impacts could occur with the patch. Once you have gone through a risk assessment on the patching then you can determine which assets can and can not be patched.
The second prong to this means protecting the assets that can not be patched. The easiest way to do this is with a Web Application Firewall (WAF). I say this is the easiest way, but the care and feeding of the WAF can be complex in nature. When you look at the ever-evolving attack types in conjunction with development of your workloads, you have to be vigilant on updating the WAF rules as appropriate. Yes, there are self-learning WAFs, but this still requires a checks and balances and manual intervention for the best protection possible.
As a result of leveraging both patching and a WAF, you will have an immediate 20% increase in your security posture. Also, the best news is your applications will not be vulnerable to the Log4j exploit which could save you from nasty fines, customer loss and huge reputation hits.
How to patch Log4j
- For Java 8+: upgrade to 2.17.1 and for Java 7: upgrade to 2.12.4 from the patch link and migration guide available in the references.
- Users can remove the LDAP class from log4j by using the command: “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”.
- Set “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false” if acceptable on JVM versions to mitigate the vulnerability.
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
- The recommended action is to upgrade to Log4j 2.17.0, which is the latest version of Log4j2. For example, within the pom.xml of your application include:
<properties>
<log4j2.version>2.17.0</log4j2.version>
</properties>
ivision has the security experience and expertise to assist your business with the necessary steps to keep the good guys in charge. Learn more about our security offerings and how to get started.
Get Help From the Experts
Migrating from older versions of Log4j to newer versions in Java projects
Log4j is a popular logging framework used in Java projects for logging application events and messages. As new versions of Log4j are released, it is important to keep your code up to date to take advantage of improved features, bug fixes, and security enhancements.
In this article, we will discuss the process of migrating from older versions of Log4j to newer versions in Java projects. We will look at the steps involved and provide code examples to help you along the way.
Step 1: Identify the current Log4j version
Before you can start the migration process, you need to identify the version of Log4j that is currently being used in your Java project. This can be done by checking the dependencies in your project’s build configuration file (e.g., pom.xml for Maven projects).
Step 2: Research the changes introduced in newer versions
Once you have identified the current Log4j version, you should research the changes introduced in the newer versions. Look at the release notes and documentation for each version to understand the new features, deprecated APIs, and any breaking changes that may affect your code.
Step 3: Update dependencies
After understanding the changes in the newer versions, you need to update the Log4j dependencies in your project. This can be done by modifying the dependencies section in your project’s build configuration file.
Here’s an example using Maven:
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
</dependencies>
Make sure to replace the version number with the latest version available.
Step 4: Update Log4j configurations
Next, you need to update your Log4j configurations to ensure they are compatible with the new version. This may involve making changes to the log4j.properties or log4j.xml file.
For example, if you were using the PatternLayout in your log4j.properties file, and it is now deprecated in the newer version, you need to replace it with the updated layout.
log4j.appender.file.layout=org.apache.logging.log4j.core.layout.PatternLayout
Step 5: Refactor deprecated APIs
If the newer Log4j version has deprecated any APIs that you are using in your code, you should refactor them to use the recommended alternatives. This will ensure that your code remains compatible and future-proof.
For instance, if the Logger method isDebugEnabled() is deprecated, you should replace it with isEnabled(Level.DEBUG).
if (logger.isEnabled(Level.DEBUG)) {
logger.debug("Debug log message");
}
Step 6: Test thoroughly
After completing the migration steps, it is important to thoroughly test your application’s logging functionality. Run various scenarios and verify that the logs are generated as expected. Pay attention to any warning or error messages in the application logs that might indicate issues with the migration.
Conclusion
Migrating from older versions of Log4j to newer versions in Java projects is a necessary step to keep your codebase up to date and benefit from the latest features and improvements. By following the steps outlined in this article, you can ensure a smooth and successful migration process.
#log4j #logging
This article gives tips about ways to update the log4j library, one of the External utilities used by GeneXus-generated web applications, in different environments.
These tips are useful for any installation, independently of the GeneXus version.
Runtime Environment
Replace the following .jar files of your application installation. They may be in the WEB-INF/lib folder of the web application in the web server, referenced in the classpath of a command-line application, among others.
- log4j-core-x.x.jar
- log4j-api-x.x.jar
- log4j-1.2-api-x.x.x.jar
where x.x.x is 2.17.1 or the latest available log4j version
Development Environment
Several changes are required in order to use the new libraries in prototyping and deployment time
Prototyping time
1) Replace these files if present on the installation directory folder /gxjava for the newer version.
- log4j-core-x.x.jar
- log4j-api-x.x.jar
- log4j-1.2-api-x.x.x.jar
2) Add the new versions to the classpath
Note: If you do not set the classpath, you will get an error like ‘Exception in thread «main» java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/lookup/MapLookup’.
3) Edit the createwebapplication.bat so that it deletes old log4j libraries and copies the new ones.
1) Add the commands to copy the new lo4j api on the file ~/gxjava/createwebapplication.bat .
2) Find the following section in the file
if %8 == "6" goto copy_files_java6
if exist %1\webapps\%2\WEB-INF\lib\log4j-api-2.3.jar del %1\webapps\%2\WEB-INF\lib\log4j-api-2.3.jar
if exist %1\webapps\%2\WEB-INF\lib\log4j-core-2.3.jar del %1\webapps\%2\WEB-INF\lib\log4j-core-2.3.jar
if exist %1\webapps\%2\WEB-INF\lib\log4j-api-2.11.2.jar del %1\webapps\%2\WEB-INF\lib\log4j-api-2.11.2.jar
if exist %1\webapps\%2\WEB-INF\lib\log4j-core-2.11.2.jar del %1\webapps\%2\WEB-INF\lib\log4j-core-2.11.2.jar
if exist %1\webapps\%2\WEB-INF\lib\mail.jar del %1\webapps\%2\WEB-INF\lib\mail.jar
xcopy log4j-api-2.13.3.jar %1\webapps\%2\WEB-INF\lib /Y /D
xcopy log4j-core-2.13.3.jar %1\webapps\%2\WEB-INF\lib /Y /D
xcopy javax.mail-1.6.2.jar %1\webapps\%2\WEB-INF\lib /Y /Dand do the following changes:
if exist %1\webapps\%2\WEB-INF\lib\log4j-api-2.3.jar del %1\webapps\%2\WEB-INF\lib\log4j-api-2.3.jar
if exist %1\webapps\%2\WEB-INF\lib\log4j-core-2.3.jar del %1\webapps\%2\WEB-INF\lib\log4j-core-2.3.jar
if exist %1\webapps\%2\WEB-INF\lib\log4j-api-2.11.2.jar del %1\webapps\%2\WEB-INF\lib\log4j-api-2.11.2.jar
if exist %1\webapps\%2\WEB-INF\lib\log4j-core-2.11.2.jar del %1\webapps\%2\WEB-INF\lib\log4j-core-2.11.2.jar
// ADD THESE TWO LINES
if exist %1\webapps\%2\WEB-INF\lib\log4j-api-2.13.3.jar del %1\webapps\%2\WEB-INF\lib\log4j-api-2.13.3.jar
if exist %1\webapps\%2\WEB-INF\lib\log4j-core-2.13.3.jar del %1\webapps\%2\WEB-INF\lib\log4j-core-2.13.3.jar
if exist %1\webapps\%2\WEB-INF\lib\mail.jar del %1\webapps\%2\WEB-INF\lib\mail.jar
// MODIFY THESE TWO LINES ADDING THE NEW API VERSION
xcopy log4j-api-x.x.x.jar %1\webapps\%2\WEB-INF\lib /Y /D
xcopy log4j-core-x.x.x.jar %1\webapps\%2\WEB-INF\lib /Y /D
// MODIFY THIS LINE ADDING THE NEW API VERSION IF YOU ARE IN GENEXUS 17 UPGRADE 7 OR HIGHER
xcopy log4j-1.2-api-x.x.x.jar %1\webapps\%2\WEB-INF\lib /Y /D
xcopy javax.mail-1.6.2.jar %1\webapps\%2\WEB-INF\lib /Y /D
Note: Lines of this code snippet may depend on the GeneXus version.
Deployment time
For GeneXus 16 upgrade 5 or higher
Change the inputs present on the file ~/gxjava/JavaLibs.targets referencing the log4j files
Example:
<Lib Include="log4j-core-x.x.x.jar">
<System>true</System>
<VersionSpecific>7</VersionSpecific>
<Reorg>true</Reorg>
</Lib>
<Lib Include="log4j-api-x.x.x.jar">
<System>true</System>
<VersionSpecific>7</VersionSpecific>
<Reorg>true</Reorg>
</Lib>
<Lib Include="log4j-1.2-api-x.x.x.jar">
<System>true</System>
<VersionSpecific>7</VersionSpecific>
</Lib>Security tip
- Do not download binary files from untrusted sources, use a trusted official source such as maven.org
Note: This article is specific for the log4j and not generic for all external libraries because of log4j maintained compatibility. The best practice to avoid security issues is to not just update log4j but to upgrade to the newest version of GeneXus.
See Also
- CVE-2021-44228 mitigation related to log4j library
- Log4j updated to 2.17.1
- GeneXus policies regarding security issues in applications
1 minute read
BPS Version: 2021.1.3.205
Overview
On 2021-12-13 a documentation has been added to update log4j to fix the newly found vulnerabilities.
Since I don’t like to do things manually, I created a PowerShell script for this process after returning from my vacation.
Script information
Basically the script does everything which is listed in the documentation.
- The script downloads, the log4j version into the temp folder. Afterwards it’s extracted and the unnecessary javadoc and sorces files are removed.
- The search services is stopped
- The existing files in the two folders are removed, requesting your confirmation.
- The new files are copied into the folders
- Search service is restarted
- The verification URLs are opened to check whether SOLR could be restarted. This could take a few seconds until the page is displayed and you may need to refresh the URL.
The script checks, whether it’s executed with administrative privileges. These are necessary to start/stop the search service.
Things which can be changed:
- The URL of the latest version
$fileUrl = "https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip" - If you don’t want to confirm the deletion you can remove the -Confirm flag. I used this to verify the correct file path.
# With confirmation Get-ChildItem $solrContribFolder -Filter $log4jApiFilePattern | Remove-Item -Confirm # Without Get-ChildItem $solrContribFolder -Filter $log4jApiFilePattern | Remove-ItemDownload
The script can be downloaded from this repository.
Direct download
Real search results will be displayed below the ads.