Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1186

Update log4j2 2.15.0 to 2.16.0 due to 3rd party vulnerability issue in log4j2 2.15.0 (CVE-2021-45046)

    XMLWordPrintable

    Details

    • CVE-ID:
      CVE-2021-45046

      Description

      Current Situation

      • Severity Level: MEDIUM
        • There is no evident exploit with current JS1 and JS7 JobScheduler components.
        • JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that includes vulnerable context lookup patterns.
        • Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
        • Customers who changed the Log4j configuration to make use of the LDAP JNDI parser should evaluate the vulnerability for their environments.

      Desired Behavior

      • Due to a vulnerability Issue of older log4j releases JobScheduler and JS7 components should use the current version 2.16.0 that fixes the issues.

      Workaround

      • YADE (release 1.13.3 and newer)
        • YADE Command Line Client
          • remove the following libraries from directory: YADE_HOME/lib/3rd-party
            • log4j-api-2.13.0.jar
            • log4j-core-2.13.0.jar
            • log4j-slf4j-impl-2.13.0.jar
          • add the following libraries to directory: YADE_HOME/lib/3rd-party
            • log4j-api-2.16.0.jar
            • log4j-core-2.16.0.jar
            • log4j-slf4j-impl-2.16.0.jar
      • JS7 JobScheduler (release 2.0.0 and newer)
        • Controller
          • remove the following libraries from directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-api-2.14.1.jar
            • org.apache.logging.log4j.log4j-core-2.14.1.jar
            • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
          • add the following libraries to directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • log4j-api-2.16.0.jar
            • log4j-core-2.16.0.jar
            • log4j-slf4j-impl-2.16.0.jar
        • Agent
          • remove the following libraries from directory: JS7_AGENT_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-api-2.14.1.jar
            • org.apache.logging.log4j.log4j-core-2.14.1.jar
            • org.apache.logging.log4j.log4j-slf4j-impl-2.14.1.jar
          • add the following libraries to directory: JS7_AGENT_HOME/lib/3rd-party
            • log4j-api-2.16.0.jar
            • log4j-core-2.16.0.jar
            • log4j-slf4j-impl-2.16.0.jar
      • Maintenance Releases
        • maintenance releases are targeted for the following dates:
          • release 1.12.15: 2021-12-16 (available for download)
          • release 1.13.10: 2021-12-17 (available for download)
          • release 2.1.3: 2021-12-15 (available for download)
          • release 2.2.0: 2021-12-22

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ap Andreas Püschel
                Reporter:
                ap Andreas Püschel
                Approver:
                Kanika Agrawal
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: