[JOC-1188] Update log4j2 2.16.0 to 2.17.0 due to 3rd party vulnerability issue in log4j2 2.16.0 (CVE-2021-45105) - SOS JIRA

Details

Type: Fix
Status: Released (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 1.12.12, 1.13.3, 2.0.0
Fix Version/s: 1.13.11, 2.2.0
Component/s: JOC Cockpit Web Service
Labels:
None

CVE-ID:
CVE-2021-45105

Description

Current Situation

Currently the latest JS1 and JS7 JobScheduler components use log4j 2.13.2, 2.14.1, 2.16.0 respectively.
Three vulnerabilities affect current log4j2 versions,
- CVE-2021-45105 affects JobScheduler releases including releases patched for CVE-2021-45406 and CVE-2021-44228, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
- CVE-2021-45046 is addressed by ~~JOC-1186~~ and affects JobScheduler releases including those patched for CVE-2021-44228, see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-45046
- CVE-2021-44228 is addressed by ~~JOC-1184~~, see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-44228

Severity Level: LOW
- There is no evident exploit with current JS1 and JS7 JobScheduler components.
- JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that does not includes configuration items that are subject to the vulnerability CVE-2021-45105 in lookup patterns. However, this might not apply in case that users modified the JobScheduler's log4j configuration files.
- Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
- The nature of this vulnerability includes to have administrative access to JobScheduler's log4j configuration files. A successful exploit would result a denial of service.

Desired Behavior

Due to a vulnerability issue of older log4j releases JobScheduler and JS7 components should use the current version 2.17.0 that fixes the issues.

Workaround

Apache offers
- updated versions of log4j2 libraries that fix the vulnerability from https://logging.apache.org/log4j/2.x/download.html
  - log4j-core-2.17.0.jar
JS1 JobScheduler (release 1.12.12 and newer)
- JOC Cockpit
  - Patches are available for any affected maintenance releases starting from 1.12.2. To apply a patch
    - stop JOC Cockpit
    - replace the JETTY_BASE/webapps/joc.war file with the respectively downloaded file matching your version
    - start JOC Cockpit
  - Branch 1.12 is in LTS mode for a longer time, patches are available for LTS subscribers. Users of the Open Source license are recommended to upgrade to a current release 1.13.x
    - Patch for 1.12.12: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.12/joc.war
    - Patch for 1.12.13: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.13/joc.war
    - Patch for 1.12.14: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.14/joc.war
    - Patch for 1.12.15: https://download.sos-berlin.com/JobScheduler.1.12/lts/1.12.15/joc.war

JS1 JobScheduler (release 1.13.3 and newer)
- Master
  - 1.13.3
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.13.0.jar or any later version before 2.17.0
  - 1.13.4 to 1.13.8
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.13.2.jar or any later version before 2.17.0
  - 1.13.9
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.14.0.jar or any later version before 2.17.0
  - 1.13.10
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.16.0.jar or any later version before 2.17.0
  - All versions
    - add the following libraries to directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.17.0.jar
- Agent
  - 1.13.3
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.13.0.jar or any later version before 2.17.0
  - 1.13.4 to 1.13.8
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.13.2.jar or any later version before 2.17.0
  - 1.13.9
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.14.0.jar or any later version before 2.17.0
  - 1.13.10
    - remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.16.0.jar or any later version before 2.17.0
  - All versions
    - add the following libraries to directory: SCHEDULER_HOME/lib/3rd-party
      - log4j-core-2.17.0.jar
- JOC Cockpit
  - Patches will become available by Monday Dec 20th, 2pm UTC, for any affected maintenance releases starting from 1.13.3. To apply a patch
    - stop JOC Cockpit
    - replace the JETTY_BASE/webapps/joc.war file with the respective downloadable file matching your version
    - start JOC Cockpit
  - Patch for 1.13.3: https://download.sos-berlin.com/JobScheduler.1.13/1.13.3/joc.war
  - Patch for 1.13.4: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.war
  - Patch for 1.13.5: https://download.sos-berlin.com/JobScheduler.1.13/1.13.5/joc.war
  - Patch for 1.13.6: https://download.sos-berlin.com/JobScheduler.1.13/1.13.6/joc.war
  - Patch for 1.13.7: https://download.sos-berlin.com/JobScheduler.1.13/1.13.7/joc.war
  - Patch for 1.13.8: https://download.sos-berlin.com/JobScheduler.1.13/1.13.8/joc.war
  - Patch for 1.13.9: https://download.sos-berlin.com/JobScheduler.1.13/1.13.9/joc.war
  - Patch for 1.13.10: https://download.sos-berlin.com/JobScheduler.1.13/1.13.10/joc.war
  - Customers who are running a 1.13.4, 1.13.6 or a 1.13.7 version which have been previously patched via the patch executor can reapply the patch with the respective downloadable file below matching your patch version. For instructions, see KB article Apply patches to JOC Cockpit.
    - Fixed patch 1.13.4-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.1.13.4-patch.war
    - Fixed patch 1.13.4-patch2.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.4/joc.1.13.4-patch2.war
    - Fixed patch 1.13.6-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.6/joc.1.13.6-patch.war
    - Fixed patch 1.13.7-patch.war: https://download.sos-berlin.com/JobScheduler.1.13/1.13.7/joc.1.13.7-patch.war

YADE (release 1.13.3 and newer)
- YADE Command Line Client
  - remove the following libraries from directory: YADE_HOME/lib/3rd-party
    - log4j-core-2.13.0.jar or any later version before 2.17.0
  - add the following libraries to directory: YADE_HOME/lib/3rd-party
    - log4j-core-2.17.0.jar

JS7 JobScheduler (release 2.0.0 and newer)
- Controller
  - remove the following libraries from directory: JS7_CONTROLLER_HOME/lib/3rd-party
    - org.apache.logging.log4j.log4j-core-2.14.1.jar or any later version before 2.17.0
  - add the following libraries to directory: JS7_CONTROLLER_HOME/lib/3rd-party
    - log4j-core-2.16.0.jar
- Agent
  - remove the following libraries from directory: JS7_AGENT_HOME/lib/3rd-party
    - org.apache.logging.log4j.log4j-core-2.14.1.jar or any later version before 2.17.0
  - add the following libraries to directory: JS7_AGENT_HOME/lib/3rd-party
    - log4j-core-2.17.0.jar

Maintenance Releases
- maintenance releases are targeted for the following dates:
  - release 1.13.11: 2022-03-17
  - release 2.2.0: 2021-12-22

Attachments

Issue Links

is related to

JOC-1184 Update log4j2 2.14.1 to 2.15.0 due to 3rd party vulnerability issue in log4j2 2.14.1 (CVE-2021-44228)

Released

JOC-1186 Update log4j2 2.15.0 to 2.16.0 due to 3rd party vulnerability issue in log4j2 2.15.0 (CVE-2021-45046)

Released

relates to

JOC-1192 Update log4j2 2.17.0 to 2.17.1 due to 3rd party vulnerability issue in log4j2 2.17.0 (CVE-2021-44832)

Released

Update log4j2 2.16.0 to 2.17.0 due to 3rd party vulnerability issue in log4j2 2.16.0 (CVE-2021-45105)

Details

Description

Attachments

Issue Links

Activity

People

Dates