Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1184

Update log4j2 2.14.1 to 2.15.0 due to 3rd party vulnerability issue in log4j2 2.14.1 (CVE-2021-44228)

    XMLWordPrintable

    Details

    • Type: Fix
    • Status: Released (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.12.12, 1.13.3, 2.0.0
    • Fix Version/s: 1.12.15, 1.13.10, 2.1.2, 2.2.0
    • Component/s: None
    • Labels:
      None
    • CVE-ID:
      CVE-2021-44228

      Description

      Current Situation

      • Currently the latest JS1 and JS7 JobScheduler components use log4j 2.13.2 and 2.14.1 respectively.
      • Two vulnerabilities affect the log4j2 versions,
      • Severity Level: MEDIUM
        • There is no evident exploit with current JS1 and JS7 JobScheduler components. The components do not make use of the LDAP JNDI parser and are provided without JNDI configuration.
        • JDK version 1.8u191 and later, 11.0.1 and later might not prevent LDAP related code execution from the vulnerability.
        • Customers who changed the Log4j configuration to make use of the LDAP JNDI parser should evaluate the vulnerability for their environments.

      Desired Behavior

      • Due to a vulnerability Issue of older log4j releases JobScheduler and JS7 components should use the current version 2.15.0 that fixes the issues.

      Workaround

      • YADE (release 1.13.3 and newer)
        • YADE Command Line Client
          • remove the following libraries from directory: YADE_HOME/lib/3rd-party
            • log4j-api-2.13.0.jar
            • log4j-core-2.13.0.jar
            • log4j-slf4j-impl-2.13.0.jar
          • add the following libraries to directory: YADE_HOME/lib/3rd-party
            • log4j-api-2.15.0.jar
            • log4j-core-2.15.0.jar
            • log4j-slf4j-impl-2.15.0.jar
      • JS7 JobScheduler (release 2.0.0 and newer)
        • Controller
          • remove the following libraries from directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-api-2.14.1.jar
            • org.apache.logging.log4j.log4j-core-2.14.1.jar
            • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
          • add the following libraries to directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • log4j-api-2.15.0.jar
            • log4j-core-2.15.0.jar
            • log4j-slf4j-impl-2.15.0.jar
        • Agent
          • remove the following libraries from directory: JS7_AGENT_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-api-2.14.1.jar
            • org.apache.logging.log4j.log4j-core-2.14.1.jar
            • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
          • add the following libraries to directory: JS7_AGENT_HOME/lib/3rd-party
            • log4j-api-2.15.0.jar
            • log4j-core-2.15.0.jar
            • log4j-slf4j-impl-2.15.0.jar
      • Maintenance Releases
        • maintenance releases are targeted for the following dates:
          • release 1.12.15: 2021-12-16 (available for download)
          • release 1.13.10: 2021-12-17 (available for download)
          • release 2.1.3: 2021-12-15 (available for download)
          • release 2.2.0: 2021-12-22

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sos_joc_team TeamJOC
                Reporter:
                sp Santiago Aucejo Petzoldt
                Approver:
                Kanika Agrawal
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: