Introduction

Several serious vulnerabilities have been found recently in Apache Log4j (the java based logging utility):

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 - present in Apache Log4j 2.0 - 2.14.1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 - present in Apache Log4j 2.0 - 2.15.0
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 - present in Apache Log4j 2.0 - 2.16.0
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 - present in Apache Log4j 2.0 - 2.17.0

See also https://logging.apache.org/log4j/2.x/security.html.

Any Java application that makes use of Apache Log4j version 2.0 - 2.17 is impacted by these vulnerabilities. Apache has fixed all currently known vulnerabilities in Apache Log4j 2.17.1. CAST makes use of Apache Log4j 2.0 - 2.16 in various products, therefore this page explains:

• which products are affected by these vulnerabilities
• how CAST plans to mitigate the threat
• what you can do to prevent the vulnerability from being exploited

Which CAST products are affected?

How does CAST plan to mitigate the threat?

CAST will release updates to affected products in the coming days - these updates will contain Apache Log4j 2.16.0 / 2.17.0 / 2.17.1 which include the fixes for these vulnerabilities. Only the most recent releases of each affected product will be patched, therefore this necessarily means upgrading to the newest release to receive the patch (CAST highly recommends this in all situations where possible).

Current status:

What you can do to prevent the vulnerability from being exploited

If you are waiting for a patch from CAST for an impacted product, or you cannot upgrade to the CAST product release containing Apache Log4j 2.16.0 or 2.17.0/2.17.1, you can perform the actions listed below to mitigate the vulnerability.

CAST Dashboards/RestAPI

Before starting:

• ensure that you stop any running services.
• download and extract either:
  • the Apache Log4j 2.17.0 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip (approx 15MB).
  • the Apache Log4j 2.17.1 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip  (approx 14MB).
• the instructions include a step which requires the use of the Java "jar" command. This command is only recognised when you have installed a Java JDK. If you only have the JRE, then the command will fail.

ZIP file deployment (≥ 2.0.0-funcrel)

Find the following file:

<unpacked_zip>\<dashboard>-<version>.jar

Microsoft Windows action

Extract the .JAR file with 7Zip (use the right click Extract files... option) to a temporary folder for example C:\CAST\temp\

When extracted, drill down to the following location: C:\CAST\temp\<folder>\BOOT-INF\lib\ and locate the four files listed below. Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache:

• log4j-api-*.jar
• log4j-core-*.jar
• log4j-jul-*.jar
• log4j-slf4j-impl-*.jar

Open a command prompt using CMD and navigate to C:\CAST\temp\<folder>. Run the command listed below in the CMD window. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files. Ensure you define the correct name for the .jar file - it must match the name used in the default installation:

jar cMvf0 <dashboard>-<version>.jar *

You now need to copy this new .JAR file into the original unpacked Dashboard ZIP installation folder and overwrite the original file. Restart the CAST Dashboard to ensure the change is taken into account.

Linux action

Create a temporary folder and unzip the <unpacked_zip>/<dashboard>-<version>.jar file into this new empty folder:

mkdir $HOME/CAST/temp
unzip path/to/<unpacked_zip>/<dashboard>-<version>.jar -d $HOME/CAST/temp

Delete the following four files located in the BOOT-INF/lib/ folder in the folder containing the extracted CAST Dashboard .JAR:

• log4j-api-*.jar
• log4j-core-*.jar
• log4j-jul-*.jar
• log4j-slf4j-impl-*.jar

cd $HOME/CAST/temp/BOOT-INF/lib/
rm -rf log4j-api-*.jar log4j-core-*.jar log4j-jul-*.jar log4j-slf4j-impl-*.jar

Copy the equivalent four 2.17.0 files located in the ZIP you downloaded from Apache into the extracted BOOT-INF/lib/ folder:

cp $HOME/CAST/<unpacked_Apache_ZIP>/{log4j-api-2.17.0.jar,log4j-core-2.17.0.jar,log4j-jul-2.17.0.jar,log4j-slf4j-impl-2.17.0.jar} $HOME/CAST/temp/BOOT-INF/lib/

Navigate into the folder containing the extracted CAST Dashboard .JAR and run the command listed below. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files. Ensure you define the correct name for the .jar file - it must match the name used in the default installation:

cd $HOME/CAST/temp
jar cMvf0 <dashboard>-<version>.jar *

Copy the new <dashboard>-<version>.jar file into the original location of this file, replacing the original:

cp <dashboard>-<version>.jar path/to/<unpacked_zip>

Restart the CAST Dashboard to ensure the change is taken into account.

Apache Tomcat deployment (any release)

Browse to the following location:

CATALINA_HOME\webapps\<dashboard>\WEB-INF\lib\

Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache:

Restart the CAST Dashboard to ensure the change is taken into account.

CAST AIP Console

Before starting note the following:

• ensure that you stop any running services.
• download and extract either:
  • the Apache Log4j 2.17.0 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip (approx 15MB).
  • the Apache Log4j 2.17.1 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip  (approx 14MB).
• the instructions include a step which requires the use of the Java "jar" command. This command is only recognised when you have installed a Java JDK. If you only have the JRE, then the command will fail.
• restart the relevant services to ensure that the changes are taken into account.

Microsoft Windows (AIP Console front-end and AIP Node back-end)

Log4j files are found in two locations:

Location 1

Locate the following files and repeat the instructions below for all files:

AIP Console front-end service
%PROGRAMFILES%\CAST\AipConsole\AipConsole\bin\aip-console-app.jar

All AIP Node services
%PROGRAMFILES%\CAST\AipConsole\AipNode\bin\aip-node-app.jar

Extract each .JAR file with 7Zip (use the right click Extract files... option) to a temporary folder (use one folder for each JAR), for example C:\CAST\temp\<folder>:

When extracted, drill down to the following location: C:\CAST\temp\<folder>\BOOT-INF\lib\ in each extracted folder and locate the four files listed below. Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache. Repeat for each AIP Console .JAR file you have extracted.

• log4j-api-*.jar
• log4j-core-*.jar
• log4j-jul-*.jar
• log4j-slf4j-impl-*.jar

Open a command prompt using CMD and navigate to C:\CAST\temp\<folder>. Run the command listed below in the CMD window. Repeat for each AIP Console/Node .JAR file you have extracted. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files:

jar cMvf0 aip-console-app.jar *

You now need to copy this new .JAR file to the relevant CAST AIP Console/Node installation folder under /bin and overwrite the original.

Location 2

Browse to the following location on all AIP Node services:

%PROGRAMFILES%\CAST\AipConsole\AipNode\admin\bin\lib

Locate the three files listed below. Delete these files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache. Repeat for each AIP Node service:

• log4j-api-*.jar
• log4j-core-*.jar
• log4j-to-slf4j-*.jar

Linux (AIP Console service only)

Locate the following file:

<AIPConsole_install>/bin/aip-console-app.jar

Create a temporary folder and unzip this .JAR file into this new empty folder:

mkdir $HOME/CAST/temp
unzip aip-console-app.jar -d $HOME/CAST/temp

Delete the following four files located in the BOOT-INF/lib/ folder in the folder containing the extracted AIP Console .JAR:

• log4j-api-*.jar
• log4j-core-*.jar
• log4j-jul-*.jar
• log4j-slf4j-impl-*.jar

cd $HOME/CAST/temp/BOOT-INF/lib/
rm -rf log4j-api-*.jar log4j-core-*.jar log4j-jul-*.jar log4j-slf4j-impl-*.jar

Copy the equivalent four 2.17.0 files located in the ZIP you downloaded from Apache into the extracted BOOT-INF/lib/ folder:

cp $HOME/CAST/<unpacked_Apache_ZIP>/{log4j-api-2.17.0.jar,log4j-core-2.17.0.jar,log4j-jul-2.17.0.jar,log4j-slf4j-impl-2.17.0.jar} $HOME/CAST/temp/BOOT-INF/lib/

Navigate into the folder containing the extracted AIP Console .JAR and run the command listed below. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files:

cd $HOME/CAST/temp
jar cMvf0 aip-console-app.jar *

Copy the new aip-console-app.jar file into the original location of this file, replacing the original:

cp aip-console-app.jar <AIPConsole_install>/bin

AIP Core: CAST Management Studio

Before starting note the following:

• close CAST Management Studio if is already open.
• download and extract either:
  • the Apache Log4j 2.17.0 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip (approx 15MB).
  • the Apache Log4j 2.17.1 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip  (approx 14MB).

Introduction

CAST Management Studio includes an embedded WAR file that is used by this option:

When the option is clicked, the embedded WAR file is launched on the fly and it is this WAR file that contains Log4j files. To mitigate this, there are two steps listed below:

Clean up temporary files

When the option is clicked, CAST Management Studio deploys the embedded WAR file in the following location - the deployed location will contain the Log4j files (as well as being present in the WAR file):

%TEMP%\jetty-0_0_0_0-0-CAST-AED-CMS_war-_CAST-AED-CMS-any-<random_id>.dir

You should first delete this folder entirely.

Replace existing Log4j JAR files

Browse to the following location and locate the embedded WAR file:

%PROGRAMFILES%\CAST\8.3\WARS\internal\CAST-AED-CMS.war

Extract the WAR file using 7Zip (use the right click Extract files... option) to a temporary folder, for example C:\CAST\temp\<folder>. When extracted, drill down to the following location: C:\CAST\temp\<folder>\WEB-INF\lib and locate the four files listed below. Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache:

• log4j-api-*.jar
• log4j-core-*.jar
• log4j-jcl-*.jar
• log4j-web-*.jar

Now archive the extracted files and create a new WAR file called CAST-AED-CMS.war using 7Zip:

Copy the resulting .WAR file and paste it into the following location, overwriting the existing WAR file:

%PROGRAMFILES%\CAST\8.3\WARS\internal\CAST-AED-CMS.war

The next time you use the Open dashboard option in CAST Management Studio, the newly created WAR file will be deployed to %TEMP% and then used.

Message Queues extension

Before starting note the following:

• ensure that you are not currently running an analysis that uses this extension.
• download and extract either:
  • the Apache Log4j 2.17.0 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip (approx 15MB).
  • the Apache Log4j 2.17.1 patch from https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip  (approx 14MB).

Browse to the following location in the installed extension on all AIP Nodes:

%PROGRAMDATA%\CAST\CAST\Extensions\com.castsoftware.mqe.<version>\jars\RabbitMQ_jars

Locate the two files listed below. Delete these files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache. Repeat for each AIP Node service where this extension is installed:

• log4j-api-*.jar
• log4j-to-slf4j-*.jar