Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1188

Update log4j2 2.16.0 to 2.17.0 due to 3rd party vulnerability issue in log4j2 2.16.0 (CVE-2021-45105)

    XMLWordPrintable

Details

    • CVE-2021-45105

    Description

      Current Situation

      • Severity Level: LOW
        • There is no evident exploit with current JS1 and JS7 JobScheduler components.
        • JOC Cockpit (JS1/JS7) and Master (JS1) ship with a log4j2.xml configuration file that does not includes configuration items that are subject to the vulnerability CVE-2021-45105 in lookup patterns. However, this might not apply in case that users modified the JobScheduler's log4j configuration files.
        • Controller (JS7) and Agents (JS1/JS7) do not ship with a Log4j configuration affected by the vulnerability.
        • The nature of this vulnerability includes to have administrative access to JobScheduler's log4j configuration files. A successful exploit would result a denial of service.

      Desired Behavior

      • Due to a vulnerability issue of older log4j releases JobScheduler and JS7 components should use the current version 2.17.0 that fixes the issues.

      Workaround

      • YADE (release 1.13.3 and newer)
        • YADE Command Line Client
          • remove the following libraries from directory: YADE_HOME/lib/3rd-party
            • log4j-core-2.13.0.jar or any later version before 2.17.0
          • add the following libraries to directory: YADE_HOME/lib/3rd-party
            • log4j-core-2.17.0.jar
      • JS7 JobScheduler (release 2.0.0 and newer)
        • Controller
          • remove the following libraries from directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-core-2.14.1.jar or any later version before 2.17.0
          • add the following libraries to directory: JS7_CONTROLLER_HOME/lib/3rd-party
            • log4j-core-2.16.0.jar
        • Agent
          • remove the following libraries from directory: JS7_AGENT_HOME/lib/3rd-party
            • org.apache.logging.log4j.log4j-core-2.14.1.jar or any later version before 2.17.0
          • add the following libraries to directory: JS7_AGENT_HOME/lib/3rd-party
            • log4j-core-2.17.0.jar
      • Maintenance Releases
        • maintenance releases are targeted for the following dates:
          • release 1.13.11: 2022-03-17
          • release 2.2.0: 2021-12-22

      Attachments

        Issue Links

          Activity

            People

              ap Andreas Püschel
              ap Andreas Püschel
              Kanika Agrawal Kanika Agrawal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: