Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1188

Update log4j2 2.16.0 to 2.17.0 due to 3rd party vulnerability issue in log4j2 2.16.0 (CVE-2021-45105)

    XMLWordPrintable

    Details

    • CVE-ID:
      CVE-2021-45105

      Description

      Current Situation

      • Severity Level: LOW
        • There is no evident exploit with current JS1 and JS7 JobScheduler components.
        • JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that does not includes configuration items that are subject to the vulnerability CVE-2021-45105 in lookup patterns. However, this might not apply in case that users modified the JobScheduler's log4j configuration files.
        • Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
        • The nature of this vulnerability includes to have administrative access to JobScheduler's log4j configuration files. A successful exploit would result a denial of service.

      Desired Behavior

      • Due to a vulnerability issue of older log4j releases JobScheduler and JS7 components should use the current version 2.17.0 that fixes the issues.

      Workaround

      • YADE (release 1.13.3 and newer)
        • YADE Command Line Client
          • remove the following libraries from directory: YADE_HOME/lib/3rd-party
            • log4j-core-2.13.0.jar or any later version before 2.17.0
          • add the following libraries to directory: YADE_HOME/lib/3rd-party
            • log4j-core-2.17.0.jar
      • JS7 JobScheduler (release 2.0.0 and newer)
        • Controller
          • remove the following libraries from directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-core-2.14.1.jar or any later version before 2.17.0
          • add the following libraries to directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • log4j-core-2.16.0.jar
        • Agent
          • remove the following libraries from directory: JS7_AGENT_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-core-2.14.1.jar or any later version before 2.17.0
          • add the following libraries to directory: JS7_AGENT_HOME/lib/3rd-party
            • log4j-core-2.17.0.jar
      • Maintenance Releases
        • maintenance releases are targeted for the following dates:
          • release 1.13.11: 2022-03-17
          • release 2.2.0: 2021-12-22

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ap Andreas Püschel
                Reporter:
                ap Andreas Püschel
                Approver:
                Kanika Agrawal
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: