NOTE: Geneos components except those in the table, Capacity Planner, Cloud Cost Optimisation, OP5 Monitor and Uptrends are NOT affected by this vulnerability.

ITRS have identified the following products are impacted by Apache Log4J security vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307

Geneos

Geneos GA5.12 is now available to download. This includes upgrade to log4j 2.17.1 to resolve security vulnerabilities CVE-2021-45046, CVE-2021-44228 CVE-2021-45105 and CVE-2021-44832 .

The following Geneos items are NOT affected

• Gateway
• Netprobe
• Collection Agent
• Collection Agent plugins
• Fix Analyser Netprobe
• Fix Analyser File Agent
• Web Slinger
• Licence Daemon
• SSO Agent
• Integrations (except Terracotta Messaging and VMware)

OP5

·        OP5 Monitor is NOT affected by this vulnerability.

LogAnalytics

·        Versions 6.x and Version 7.x

Synthetic Monitoring

·        ZebraTester agents and Browser(BNet) agents

Solution

Geneos

ITRS has released a fixed version GA5.12 which is now available to download. This release includes updates to the following Geneos components to address the security vulnerabilities  CVE-2021-45046, CVE-2021-44228 CVE-2021-45105 and CVE-2021-44832 .

• Active Console, version 5.12
• Web Dashboard, version 5.12
• Terracotta Messaging Integration, version 2.0.236
• VMWare Integration, version 1.4.21

We advise you upgrade to these latest version mentioned above. If you are unable to upgrade, please see workaround information below.

The following workarounds are available for Active Console and Web Dashboard versions 5.1.0 and newer. This can mitigate some attack paths but may be insufficient, we recommend users to upgrade as soon as possible. Note: the workaround is not applicable to Geneos GA5.0.0 and older using log4j 1.x versions.

• Active Console
  • Edit the “ActiveConsole.gci” file to add Dlog4j2.formatMsgNoLookups=true in the -jvmargs section and restart Active Console. For example:

  ############################################################
  
  #### The JVM to use and arguments
  
  ############################################################
  
  -jvm
  
  .\JRE\bin\server\jvm.dll
  -jvmargs
  Xmx1024M
  XX:+HeapDumpOnOutOfMemoryError
  Ddocking.floatingContainerType=frame
  Dsun.java2d.d3d=false
  Dorg.quartz.threadPool.threadCount=1
  Djava.endorsed.dirs=.\jars\endorsed
  Dfile.encoding=UTF-8
  Dlog4j2.formatMsgNoLookups=true

Restart Active Console once the setting have been applied.

• Web-Server / Web Dashboard
  • Edit the “run” script or the “geneosws” script that starts up the JVM to add -Dlog4j2.formatMsgNoLookups=true and restart Web Dashboard. For example:

  GWS_RUN_CMD="$JRE_BIN_PATH/java -XX:+UseConcMarkSweepGC -Xmx1024M -server -Dlog4j2.formatMsgNoLookups=true $HEADLESS $SECURITY_CONFIG $CONFIG $RESOURCES $JAVA_LIBRARY_PATH $LOG_PROPERTIES $PATH_FOR_LOG4J $JAVA_PROPS $SSO_PROPERTIES $BDO_FLAGS $JMX_FLAGS $DUMP_HEAP_ARGS $JAR_PATH $GWS_PORT $WEBAPPS $GWS_PORT $ENABLE_SSL &"

   

Gateway Hub

The Gateway Hub installation includes both Kafka and Zookeeper services. These two services contain log4j-1.2.17 in their packaging. We are aware of the following vulnerabilities impacting log4j 1.x versions.

• CVE-2022-23307
• CVE-2022-23305
• CVE-2022-23302
• CVE-2021-4104

Gateway Hub does not use any of the affected classes in log4j. However, the recommended mitigation for the above vulnerabilities is to remove the offending classes altogether from the log4j-1.2.17.jar artifact.

• If you are running Gateway Hub 2.5.0 or older, you must remove classes: Chainsaw, JMSAppender and JMSSink
• If you are running Gateway Hub 2.5.1, the class Chainsaw is already removed, you must remove classes JMSAppender and JMSSink

Instructions for removing a class from the log4j-1.2.17.jar artifact:

• Stop Gateway Hub

hubctl stop <config_file>

• On each node, navigate to the directory where log4j-1.2.17.jar file is located
  • For Kafka, by default it is: /opt/hub/hub-current/services/kafka-2.12-2.8.1/kafka_2.12-2.8.1/libs
  • For Zookeeper, by default it is: /opt/hub/hub-current/services/zookeeper-3.6.3/apache-zookeeper-3.6.3/lib

• Run the following commands to remove the classes

 zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class
 zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSSink.class
 zip -d log4j-1.2.17.jar org/apache/log4j/net/Chainsaw.class

• Start Gateway Hub

 hubctl start <config_file>

LogAnalytics

Execute the below script on your current installation of LogAnalytics:

log4j-security-patch.sh

Future upcoming versions of LogAnalytics will include the necessary changes and fixes. 

Synthetic Monitoring

• ZebraTester agents
  • Replace the current log4j jars with up-to-date ones, found here:https://eu01.l.antigena.com/l/AUeBAcdmAvrywk8X0Fe1axPqXUSI2eArYv5kPPTXW9MpHAiyxPhPcMF_DrR9Ue0QtuZJtHReq2apJf-HYMNuKRqfeugX7ggB4AbGVhzyeE0a_KSJW6Gb3aJ-_965VmoYHT5bmo29J7E8lk2vgqpfNTtxu13A3~vD032LmY7Ejuc-bQOMA_V
  • Linux location for these files:
    •  /opt/zebratester/embedded/log4j/log4j-api-2.11.0.jar
    • /opt/zebratester/embedded/log4j/log4j-core-2.11.0.jar
  • Windows location for these files:
    • Under your Zebra Tester installation folder.
  • Restart the ZebraTester service.
  •  
• Browser(BNet) agents
  • If you are using version (7.6.3 with Chrome 55), no action is needed.
  • If you are using version 8.1.x (chrome 74 only) you need to upgrade to a new version.
    • Send us your agent’s OS flavor and we’ll provide links to the correct package. 
  • If you are using version 8.2.x and later (with Chrome 87), 
    • Replace the BNet jar located in /opt/asm-browser-agent/embedded/bnet-agent (Linux) with this one: 
    • https://apica-packages.s3.eu-central-1.amazonaws.com/current/bnet-agent/maven/com/apicasystem/bnet/BNetAgent/8.3.17-585/BNetAgent-8.3.17-585.jar. 
    • Restart the agent.