Update log4j2 2.14.1 to 2.15.0 due to 3rd party vulnerability issue in log4j2 2.14.1 (CVE-2021-44228)

Current Situation

• Currently the latest JS1 and JS7 JobScheduler components use log4j 2.13.2 and 2.14.1 respectively.
• Two vulnerabilities affect the log4j2 versions,
  • CVE-2021-44228 is addressed by this issue see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-44228
  • CVE-2021-45046 is addressed by JOC-1186 and affects JobScheduler releases including those patched for CEV-2021-44228, see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-45046
• Severity Level: MEDIUM
  • There is no evident exploit with current JS1 and JS7 JobScheduler components. The components do not make use of the LDAP JNDI parser and are provided without JNDI configuration.
  • JDK version 1.8u191 and later, 11.0.1 and later might not prevent LDAP related code execution from the vulnerability.
  • Customers who changed the Log4j configuration to make use of the LDAP JNDI parser should evaluate the vulnerability for their environments.

Desired Behavior

• Due to a vulnerability Issue of older log4j releases JobScheduler and JS7 components should use the current version 2.15.0 that fixes the issues.

Workaround

• Apache offers
  • information about configuration changes to prevent the issue with https://logging.apache.org/log4j/2.x/security.html
    • Preliminary measures include to use the Java option -Dlog4j2.formatMsgNoLookups=true
    • For JS1 branches find information where to set Java options from the How to configure logging in JobScheduler article.
      • Set Java options for the Master with Linux and Windows in SCHEDULER_DATA/config/factory.ini
      • Set Java options for the Agent with Linux and Windows in SCHEDULER_HOME/bin/agent_<port>.sh | .cmd
      • Set Java options for the JOC Cockpit with Linux in /etc/default/joc or by setting the environment variable in the systemd service file.
    • For JS7 branches find information where to set Java options from the JS7 - Log Levels and Debug Options article
  • updated versions of log4j2 libraries that fix the vulnerability from https://logging.apache.org/log4j/2.x/download.html
    • log4j-api-2.15.0.jar {{or }}log4j-api-2.15.0.jar{{}}
    • log4j-core-2.15.0.jar {{or }}log4j-core-2.15.0.jar{{}}
    • log4j-slf4j-impl-2.15.0.jar {{or }}log4j-slf4j-impl-2.15.0.jar
• JS1 JobScheduler (release 1.12.12 and newer)
  • JOC Cockpit
    • Patches are available for any affected maintenance releases starting from 1.12.2. To apply a patch
      • stop JOC Cockpit
      • replace the JETTY_BASE/webapps/joc.war file with the respectively downloaded file matching your version
      • start JOC Cockpit
    • Branch 1.12 is in LTS mode for a longer time, patches are available for LTS subscribers. Users of the Open Source license are recommended to upgrade to a current release 1.13.x. The following links include patches for both CEV-2021-44228 and CVE-2021-45046.
      • Patch for 1.12.12: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.12/joc.war 
      • Patch for 1.12.13: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.13/joc.war 
      • Patch for 1.12.14: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.14/joc.war 

• JS1 JobScheduler (release 1.13.3 and newer)
  • Master
    • 1.13.3
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.0.jar
        • log4j-core-2.13.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.0.jar
    • 1.13.4 to 1.13.8
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.2.jar
        • log4j-core-2.13.2.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.2.jar
    • 1.13.9
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.14.0.jar
        • log4j-core-2.14.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.14.0.jar
    • All versions
      • add the following libraries to directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.15.0.jar
        • log4j-core-2.15.0.jar
      • add the following libraries to directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.15.0.jar
  • Agent
    • 1.13.3
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.0.jar
        • log4j-core-2.13.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.0.jar
    • 1.13.4 to 1.13.8
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.2.jar
        • log4j-core-2.13.2.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.2.jar
    • 1.13.9
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.14.0.jar
        • log4j-core-2.14.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.14.0.jar
    • All versions
      • add the following libraries to directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.15.0.jar
        • log4j-core-2.15.0.jar
      • add the following libraries to directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.15.0.jar
  • JOC Cockpit
    • Patches are available for any affected maintenance releases starting from 1.13.3. To apply a patch
      • stop JOC Cockpit
      • replace the JETTY_BASE/webapps/joc.war file with the respective downloadable file matching your version
      • start JOC Cockpit
    • The following links include patches for both CEV-2021-44228 and CVE-2021-45046.
    • Patch for 1.13.3: https://download.sos-berlin.com/JobScheduler.1.13/1.13.3/joc.war
    • Patch for 1.13.4: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.war
    • Patch for 1.13.5: https://download.sos-berlin.com/JobScheduler.1.13/1.13.5/joc.war
    • Patch for 1.13.6: https://download.sos-berlin.com/JobScheduler.1.13/1.13.6/joc.war
    • Patch for 1.13.7: https://download.sos-berlin.com/JobScheduler.1.13/1.13.7/joc.war
    • Patch for 1.13.8: https://download.sos-berlin.com/JobScheduler.1.13/1.13.8/joc.war
    • Patch for 1.13.9: https://download.sos-berlin.com/JobScheduler.1.13/1.13.9/joc.war
    • Customers who are running a 1.13.4, 1.13.6 or a 1.13.7 version which have been previously patched via the patch executor can reapply the patch with the respective downloadable file below matching your patch version. For instructions, see KB article Apply patches to JOC Cockpit.
      • Fixed patch 1.13.4-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.1.13.4-patch.war
      • Fixed patch 1.13.4-patch2.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.1.13.4-patch2.war
      • Fixed patch 1.13.6-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.6/joc.1.13.6-patch.war
      • Fixed patch 1.13.7-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.7/joc.1.13.7-patch.war

• YADE (release 1.13.3 and newer)
  • YADE Command Line Client
    • remove the following libraries from directory: YADE_HOME/lib/3rd-party
      • log4j-api-2.13.0.jar
      • log4j-core-2.13.0.jar
      • log4j-slf4j-impl-2.13.0.jar
    • add the following libraries to directory: YADE_HOME/lib/3rd-party
      • log4j-api-2.15.0.jar
      • log4j-core-2.15.0.jar
      • log4j-slf4j-impl-2.15.0.jar

• JS7 JobScheduler (release 2.0.0 and newer)
  • Controller
    • remove the following libraries from directory: JS7_CONTROLLER_HOME/lib/3rd-party
      • org.apache.logging.log4j.log4j-api-2.14.1.jar
      • org.apache.logging.log4j.log4j-core-2.14.1.jar
      • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
    • add the following libraries to directory: JS7_CONTROLLER_HOME/lib/3rd-party
      • log4j-api-2.15.0.jar
      • log4j-core-2.15.0.jar
      • log4j-slf4j-impl-2.15.0.jar
  • Agent
    • remove the following libraries from directory: JS7_AGENT_HOME/lib/3rd-party
      • org.apache.logging.log4j.log4j-api-2.14.1.jar
      • org.apache.logging.log4j.log4j-core-2.14.1.jar
      • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
    • add the following libraries to directory: JS7_AGENT_HOME/lib/3rd-party
      • log4j-api-2.15.0.jar
      • log4j-core-2.15.0.jar
      • log4j-slf4j-impl-2.15.0.jar

• Maintenance Releases
  • maintenance releases are targeted for the following dates:
    • release 1.12.15: 2021-12-16 (available for download)
    • release 1.13.10: 2021-12-17 (available for download)
    • release 2.1.3: 2021-12-15 (available for download)
    • release 2.2.0: 2021-12-22