This page will be updated over the coming days as and when new information is available. |
Several serious vulnerabilities have been found recently in Apache Log4j (the java based logging utility):
See also https://logging.apache.org/log4j/2.x/security.html.
Any Java application that makes use of Apache Log4j version 2.0 - 2.17 is impacted by these vulnerabilities. Apache has fixed all currently known vulnerabilities in Apache Log4j 2.17.1. CAST makes use of Apache Log4j 2.0 - 2.16 in various products, therefore this page explains:
| Affected product | Affected by CVE-2021-44228 | Affected by CVE-2021-45046 | Affected by CVE-2021-45105 and CVE-2021-44832 |
|---|---|---|---|
| CAST Dashboards/RestAPI | All releases (up to 2.4.0-funcrel) of any of the following:
| All releases (up to 2.4.1-funcrel) of any of the following:
| All releases (up to 2.4.3-funcrel) of any of the following:
|
| CAST AIP Console | All releases (up to 1.26.0-funcrel and 2.0.0-beta releases) of any of the following:
| All releases (up to 1.26.1-funcrel and 2.0.0-beta releases) of any of the following:
| All releases (up to 1.27.0-funcrel and 2.0.0-beta releases) of any of the following:
|
| CAST Imaging | All releases from 2.2.0-beta1 up to 2.7.0-funcrel. The vulnerability is found in the third-party software Neo4j ≥ 4.2. | All releases from 2.2.0-beta1 up to 2.7.1-funcrel. The vulnerability is found in the third-party software Neo4j ≥ 4.2. | |
| AIP Core: CAST Management Studio | All releases up to 8.3.41. The vulnerability is found in an embedded WAR file used in CAST Management Studio. | ||
| JEE Analyzer extension | All releases up to 1.3.5-funcrel. The analyzer provides Environment Profiles to handle specific frameworks and a legacy Log4j JAR (1.12.4) is provided in %PROGRAMDATA%\CAST\CAST\Extensions\com.castsoftware.jee.1.3.5-funcrel\EnvProf\J2EE\Log4j. | ||
| Delivery Folder Migration Tool | All releases up to 1.0.3-funcrel. | All releases up to 1.0.4-funcrel. | |
| Security for Java extension | All releases up to 1.6.5-funcrel. | All releases up to 1.6.6-funcrel. | |
| PHP extension | All releases up to 3.1.0-beta. The vulnerability is located in the pre-processor (Configuration\Languages\PHP\prepro folder). | ||
| Message Queues extension | All releases up to 1.2.2-funcrel. The vulnerability is located in the shipped RabbitMQ jars (jars\RabbitMQ_jars folder). | ||
CAST will release updates to affected products in the coming days - these updates will contain Apache Log4j 2.16.0 / 2.17.0 / 2.17.1 which include the fixes for these vulnerabilities. Only the most recent releases of each affected product will be patched, therefore this necessarily means upgrading to the newest release to receive the patch (CAST highly recommends this in all situations where possible).
Current status:
If you are waiting for a patch from CAST for an impacted product, or you cannot upgrade to the CAST product release containing Apache Log4j 2.16.0 or 2.17.0/2.17.1, you can perform the actions listed below to mitigate the vulnerability.
Previous advice given in this page about using a Microsoft Windows environment variable to set LOG4J_FORMAT_MSG_NO_LOOKUPS = true or to pass-Dlog4j2.formatMsgNoLookups=true as a Java parameter when launching CAST products have been found to be ineffective at stopping RCE in some situations, explained here by Apache and in CVE-2021-45046. In addition, other advice previously given to manually remove the JndiLookup.class file has been found to cause errors when restarting some CAST products. As such this documentation has been removed. The only known reliable methods of mitigating the threat at this time (where upgrading to a new release of CAST products containing Apache Log4j 2.16.0 / 2.17.0 / 2.17.1 is not possible or not available) is to manually patch your installation with Apache Log4 2.17.0 / 2.17.1 (as explained below). |
Before starting:
Find the following file:
<unpacked_zip>\<dashboard>-<version>.jar |
Extract the .JAR file with 7Zip (use the right click Extract files... option) to a temporary folder for example C:\CAST\temp\
When extracted, drill down to the following location: C:\CAST\temp\<folder>\BOOT-INF\lib\ and locate the four files listed below. Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache:
Open a command prompt using CMD and navigate to C:\CAST\temp\<folder>. Run the command listed below in the CMD window. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files. Ensure you define the correct name for the .jar file - it must match the name used in the default installation:
jar cMvf0 <dashboard>-<version>.jar * |
Note that the "jar" command is only recognised when you have installed a Java JDK. If you only have the JRE, then the command will fail. |
You now need to copy this new .JAR file into the original unpacked Dashboard ZIP installation folder and overwrite the original file. Restart the CAST Dashboard to ensure the change is taken into account.
Create a temporary folder and unzip the <unpacked_zip>/<dashboard>-<version>.jar file into this new empty folder:
mkdir $HOME/CAST/temp unzip path/to/<unpacked_zip>/<dashboard>-<version>.jar -d $HOME/CAST/temp |
Delete the following four files located in the BOOT-INF/lib/ folder in the folder containing the extracted CAST Dashboard .JAR:
cd $HOME/CAST/temp/BOOT-INF/lib/ rm -rf log4j-api-*.jar log4j-core-*.jar log4j-jul-*.jar log4j-slf4j-impl-*.jar |
Copy the equivalent four 2.17.0 files located in the ZIP you downloaded from Apache into the extracted BOOT-INF/lib/ folder:
cp $HOME/CAST/<unpacked_Apache_ZIP>/{log4j-api-2.17.0.jar,log4j-core-2.17.0.jar,log4j-jul-2.17.0.jar,log4j-slf4j-impl-2.17.0.jar} $HOME/CAST/temp/BOOT-INF/lib/ |
Navigate into the folder containing the extracted CAST Dashboard .JAR and run the command listed below. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files. Ensure you define the correct name for the .jar file - it must match the name used in the default installation:
cd $HOME/CAST/temp jar cMvf0 <dashboard>-<version>.jar * |
Note that the "jar" command is only recognised when you have installed a Java JDK. If you only have the JRE, then the command will fail. |
Copy the new <dashboard>-<version>.jar file into the original location of this file, replacing the original:
cp <dashboard>-<version>.jar path/to/<unpacked_zip> |
Restart the CAST Dashboard to ensure the change is taken into account.
Browse to the following location:
CATALINA_HOME\webapps\<dashboard>\WEB-INF\lib\ |
Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache:
| CAST Dashboards 1.x | CAST Dashboards 2.x |
|---|---|
|
|
Restart the CAST Dashboard to ensure the change is taken into account.
Before starting note the following:
Log4j files are found in two locations:
Locate the following files and repeat the instructions below for all files:
AIP Console front-end service %PROGRAMFILES%\CAST\AipConsole\AipConsole\bin\aip-console-app.jar All AIP Node services %PROGRAMFILES%\CAST\AipConsole\AipNode\bin\aip-node-app.jar |
Extract each .JAR file with 7Zip (use the right click Extract files... option) to a temporary folder (use one folder for each JAR), for example C:\CAST\temp\<folder>:
When extracted, drill down to the following location: C:\CAST\temp\<folder>\BOOT-INF\lib\ in each extracted folder and locate the four files listed below. Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache. Repeat for each AIP Console .JAR file you have extracted.
Open a command prompt using CMD and navigate to C:\CAST\temp\<folder>. Run the command listed below in the CMD window. Repeat for each AIP Console/Node .JAR file you have extracted. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files:
jar cMvf0 aip-console-app.jar * |
Note that the "jar" command is only recognised when you have installed a Java JDK. If you only have the JRE, then the command will fail. |
You now need to copy this new .JAR file to the relevant CAST AIP Console/Node installation folder under /bin and overwrite the original.
Browse to the following location on all AIP Node services:
%PROGRAMFILES%\CAST\AipConsole\AipNode\admin\bin\lib |
Locate the three files listed below. Delete these files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache. Repeat for each AIP Node service:
Locate the following file:
<AIPConsole_install>/bin/aip-console-app.jar |
Create a temporary folder and unzip this .JAR file into this new empty folder:
mkdir $HOME/CAST/temp unzip aip-console-app.jar -d $HOME/CAST/temp |
Delete the following four files located in the BOOT-INF/lib/ folder in the folder containing the extracted AIP Console .JAR:
cd $HOME/CAST/temp/BOOT-INF/lib/ rm -rf log4j-api-*.jar log4j-core-*.jar log4j-jul-*.jar log4j-slf4j-impl-*.jar |
Copy the equivalent four 2.17.0 files located in the ZIP you downloaded from Apache into the extracted BOOT-INF/lib/ folder:
cp $HOME/CAST/<unpacked_Apache_ZIP>/{log4j-api-2.17.0.jar,log4j-core-2.17.0.jar,log4j-jul-2.17.0.jar,log4j-slf4j-impl-2.17.0.jar} $HOME/CAST/temp/BOOT-INF/lib/ |
Navigate into the folder containing the extracted AIP Console .JAR and run the command listed below. This action will generate a new .JAR file containing the updated Apache Log4j 2.17.0/2.17.1 files:
cd $HOME/CAST/temp jar cMvf0 aip-console-app.jar * |
Note that the "jar" command is only recognised when you have installed a Java JDK. If you only have the JRE, then the command will fail. |
Copy the new aip-console-app.jar file into the original location of this file, replacing the original:
cp aip-console-app.jar <AIPConsole_install>/bin |
Before starting note the following:
CAST Management Studio includes an embedded WAR file that is used by this option:
When the option is clicked, the embedded WAR file is launched on the fly and it is this WAR file that contains Log4j files. To mitigate this, there are two steps listed below:
When the option is clicked, CAST Management Studio deploys the embedded WAR file in the following location - the deployed location will contain the Log4j files (as well as being present in the WAR file):
%TEMP%\jetty-0_0_0_0-0-CAST-AED-CMS_war-_CAST-AED-CMS-any-<random_id>.dir |
You should first delete this folder entirely.
Browse to the following location and locate the embedded WAR file:
%PROGRAMFILES%\CAST\8.3\WARS\internal\CAST-AED-CMS.war |
Extract the WAR file using 7Zip (use the right click Extract files... option) to a temporary folder, for example C:\CAST\temp\<folder>. When extracted, drill down to the following location: C:\CAST\temp\<folder>\WEB-INF\lib and locate the four files listed below. Delete these four files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache:
Now archive the extracted files and create a new WAR file called CAST-AED-CMS.war using 7Zip:
Copy the resulting .WAR file and paste it into the following location, overwriting the existing WAR file:
%PROGRAMFILES%\CAST\8.3\WARS\internal\CAST-AED-CMS.war |
The next time you use the Open dashboard option in CAST Management Studio, the newly created WAR file will be deployed to %TEMP% and then used.
Before starting note the following:
Browse to the following location in the installed extension on all AIP Nodes:
%PROGRAMDATA%\CAST\CAST\Extensions\com.castsoftware.mqe.<version>\jars\RabbitMQ_jars |
Locate the two files listed below. Delete these files and then replace them with the equivalent 2.17.0/2.17.1 files located in the ZIP you downloaded from Apache. Repeat for each AIP Node service where this extension is installed:
