Update log4j2 2.15.0 to 2.16.0 due to 3rd party vulnerability issue in log4j2 2.15.0 (CVE-2021-45046)

Current Situation

• Currently the latest JS1 and JS7 JobScheduler components use log4j 2.13.2 and 2.14.1 respectively.
• Two vulnerabilities affect the log4j2 versions,
  • CVE-2021-45046 affects JobScheduler releases including those patched for CEV-2021-44228, see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-45046
  • CVE-2021-44228 is addressed by JOC-1184, see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-44228

• Severity Level: MEDIUM
  • There is no evident exploit with current JS1 and JS7 JobScheduler components.
  • JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that includes vulnerable context lookup patterns.
  • Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
  • Customers who changed the Log4j configuration to make use of the LDAP JNDI parser should evaluate the vulnerability for their environments.

Desired Behavior

• Due to a vulnerability Issue of older log4j releases JobScheduler and JS7 components should use the current version 2.16.0 that fixes the issues.

Workaround

• Apache offers
  • updated versions of log4j2 libraries that fix the vulnerability from https://logging.apache.org/log4j/2.x/download.html
    • log4j-api-2.16.0.jar
    • log4j-core-2.16.0.jar
    • log4j-slf4j-impl-2.16.0.jar
• JS1 JobScheduler (release 1.12.12 and newer)
  • JOC Cockpit
    • Patches are available for any affected maintenance releases starting from 1.12.2. To apply a patch
      • stop JOC Cockpit
      • replace the JETTY_BASE/webapps/joc.war file with the respectively downloaded file matching your version
      • start JOC Cockpit
    • Branch 1.12 is in LTS mode for a longer time, patches are available for LTS subscribers. Users of the Open Source license are recommended to upgrade to a current release 1.13.x
      • Patch for 1.12.12: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.12/joc.war 
      • Patch for 1.12.13: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.13/joc.war 
      • Patch for 1.12.14: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.14/joc.war 

• JS1 JobScheduler (release 1.13.3 and newer)
  • Master
    • 1.13.3
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.0.jar
        • log4j-core-2.13.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.0.jar
    • 1.13.4 to 1.13.8
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.2.jar
        • log4j-core-2.13.2.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.2.jar
    • 1.13.9
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.14.0.jar
        • log4j-core-2.14.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.14.0.jar
    • All versions
      • add the following libraries to directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.16.0.jar
        • log4j-core-2.16.0.jar
      • add the following libraries to directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.16.0.jar
  • Agent
    • 1.13.3
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.0.jar
        • log4j-core-2.13.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.0.jar
    • 1.13.4 to 1.13.8
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.13.2.jar
        • log4j-core-2.13.2.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.13.2.jar
    • 1.13.9
      • remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.14.0.jar
        • log4j-core-2.14.0.jar
      • remove the following libraries from directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.14.0.jar
    • All versions
      • add the following libraries to directory: SCHEDULER_HOME/lib/3rd-party
        • log4j-api-2.16.0.jar
        • log4j-core-2.16.0.jar
      • add the following libraries to directory: SCHEDULER_HOME/lib/log/log4j
        • log4j-slf4j-impl-2.16.0.jar
  • JOC Cockpit
    • Patches are available for any affected maintenance releases starting from 1.13.3. To apply a patch
      • stop JOC Cockpit
      • replace the JETTY_BASE/webapps/joc.war file with the respective downloadable file matching your version
      • start JOC Cockpit
    • Patch for 1.13.3: https://download.sos-berlin.com/JobScheduler.1.13/1.13.3/joc.war
    • Patch for 1.13.4: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.war
    • Patch for 1.13.5: https://download.sos-berlin.com/JobScheduler.1.13/1.13.5/joc.war
    • Patch for 1.13.6: https://download.sos-berlin.com/JobScheduler.1.13/1.13.6/joc.war
    • Patch for 1.13.7: https://download.sos-berlin.com/JobScheduler.1.13/1.13.7/joc.war
    • Patch for 1.13.8: https://download.sos-berlin.com/JobScheduler.1.13/1.13.8/joc.war
    • Patch for 1.13.9: https://download.sos-berlin.com/JobScheduler.1.13/1.13.9/joc.war
    • Customers who are running a 1.13.4, 1.13.6 or a 1.13.7 version which have been previously patched via the patch executor can reapply the patch with the respective downloadable file below matching your patch version. For instructions, see KB article Apply patches to JOC Cockpit.
      • Fixed patch 1.13.4-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.1.13.4-patch.war
      • Fixed patch 1.13.4-patch2.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.1.13.4-patch2.war
      • Fixed patch 1.13.6-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.6/joc.1.13.6-patch.war
      • Fixed patch 1.13.7-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.7/joc.1.13.7-patch.war

• YADE (release 1.13.3 and newer)
  • YADE Command Line Client
    • remove the following libraries from directory: YADE_HOME/lib/3rd-party
      • log4j-api-2.13.0.jar
      • log4j-core-2.13.0.jar
      • log4j-slf4j-impl-2.13.0.jar
    • add the following libraries to directory: YADE_HOME/lib/3rd-party
      • log4j-api-2.16.0.jar
      • log4j-core-2.16.0.jar
      • log4j-slf4j-impl-2.16.0.jar

• JS7 JobScheduler (release 2.0.0 and newer)
  • Controller
    • remove the following libraries from directory: JS7_CONTROLLER_HOME/lib/3rd-party
      • org.apache.logging.log4j.log4j-api-2.14.1.jar
      • org.apache.logging.log4j.log4j-core-2.14.1.jar
      • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
    • add the following libraries to directory: JS7_CONTROLLER_HOME/lib/3rd-party
      • log4j-api-2.16.0.jar
      • log4j-core-2.16.0.jar
      • log4j-slf4j-impl-2.16.0.jar
  • Agent
    • remove the following libraries from directory: JS7_AGENT_HOME/lib/3rd-party
      • org.apache.logging.log4j.log4j-api-2.14.1.jar
      • org.apache.logging.log4j.log4j-core-2.14.1.jar
      • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
    • add the following libraries to directory: JS7_AGENT_HOME/lib/3rd-party
      • log4j-api-2.16.0.jar
      • log4j-core-2.16.0.jar
      • log4j-slf4j-impl-2.16.0.jar

• Maintenance Releases
  • maintenance releases are targeted for the following dates:
    • release 1.12.15: 2021-12-16 (available for download)
    • release 1.13.10: 2021-12-17 (available for download)
    • release 2.1.3: 2021-12-15 (available for download)
    • release 2.2.0: 2021-12-22