On December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.

It is CVE-2021-44228 and CVE-2021-45046 and affects version 2 of log4j between versions 2.0-beta-9 and 2.14.1.
It is not present in version 1 of log4j and is patched in version 2.15.0.

What about CVE-2021-45105 (released on December 20th, 2021)?

This issue impacts all WorldServer 11 versions and the associated Report Center. This issue does not impact WorldServer 10 deployments.
This article provides step-by-step resolutions for WordServer version 11.6.x, 11.7.0 and 11.7.1. and Jasper Report Servers 7.5 and 7.9

This issue is permanently fixed in WorldServer version 11.7.2 where log4j 2.17 will be used.

CVE-2021-45105: if you read the page on https://logging.apache.org/log4j/2.x/security.html, you will notice:

1. Solved with upgrade to log4j 2.17
2. Alternatively, this can be mitigated in configuration:

• In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
• Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

In WorldServer, we do not provide log configurations that include Context lookups like ${ctx:loginId} or $${ctx:loginId}. Also, it’s highly unlikely that a customer use such patterns. Therefore, we do not see the necessity to use log4j 2.17. 

If you would like to upgrade your log4j file to version 2.17, you can do this yourself by following the steps below, but using the log4j 2.17 file provided by Apache. The WorldServer development team does not expect issues, but please be aware that haven't tested the usage of log4j 2.17 in WorldServer versions 11.6. to 11.7.1. If there are issues, the process is easily reversible to use 2.16 and the mitigation still applies.

FYI: CVE-2021-45105 consequences would be a stackoverflow and eventually the application would crash, but no remote code execution.

Below are the instructions for customers in previous versions.

Customers at versions 11.6.0, 11.6.1, or 11.6.2:

Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.

1. Stop Idiom Process Monitor service
2. Go to \\WorldServer\tomcat\webapps\ws\WEB-INF\lib

Replace the following 3 files:
- log4j-1.2-api-2.13.0.jar
- log4j-api-2.13.0.jar
- log4j-core-2.13.0.jar

With these files in the attached zip log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
 

3. Go to \\WorldServer\tomcat\webapps\ws-api\WEB-INF\lib

Replace the following 3 files:
- log4j-1.2-api-2.13.0.jar
- log4j-api-2.13.0.jar
- log4j-core-2.13.0.jar

With these files in the attached log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar

4. Go to \\WorldServer\tomcat\webapps\ws-legacy\WEB-INF\lib

Replace the following 3 files:
- log4j-1.2-api-2.13.0.jar
- log4j-api-2.13.0.jar
- log4j-core-2.13.0.jar
               
With these files in the attached log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar

5. Start Idiom Process Monitor service

WAR files: The following should be done only after stopping the Idiom service: We also recommend moving the WAR files from the \tomcat\webapps\ folder in a separate location to prevent unwanted expansion.

NOTE: In case you will need to re-deploy either WorldServer you will have to copy the WAR files back into \tomcat\webapps\ folder. After the re-deployment is done, please make sure you redo the steps above regarding log4j.
Also, in case of any customizations or Hotfixes previously applied, these need to be re-applied/re-installed.
 

Jasper 7.5 (installed with WorldServer 11.6.x) 

Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.

1. Stop the SDL WorldServer Reports service
2. Go to \\Reports_home\buildomatic\conf_source\iePro\lib

Replace the following 6 files:

• log4j-1.2-api-2.12.1.jar
• log4j-api-2.12.1.jar
• log4j-core-2.12.1.jar
• log4j-jcl-2.12.1.jar
• log4j-jul-2.12.1.jar
• log4j-slf4j-impl-2.12.1.jar

With these files in the attached log4j-2.16.0.zip:

• log4j-1.2-api-2.16.0.jar
• log4j-api-2.16.0.jar
• log4j-core-2.16.0.jar
• log4j-jcl-2.16.0.jar
• log4j-jul-2.16.0.jar
• log4j-slf4j-impl-2.16.0.jar

3. Go to \\Reports_home\buildomatic\target

Replace the following 4 files:

• log4j-1.2-api-2.12.1.jar
• log4j-api-2.12.1.jar
• log4j-core-2.12.1.jar
• log4j-jcl-2.12.1.jar

With these files from the attached log4j-2.16.0.zip:

• log4j-1.2-api-2.16.0.jar
• log4j-api-2.16.0.jar
• log4j-core-2.16.0.jar
• log4j-jcl-2.16.0.jar

4. Go to \\Reports_home\Reports\tomcat\webapps\jasperserver-pro\WEB-INF\lib

Replace the following 7 files:

• log4j-1.2-api-2.12.1.jar
• log4j-api-2.12.1.jar
• log4j-core-2.12.1.jar
• log4j-jcl-2.12.1.jar
• log4j-jul-2.12.1.jar
• log4j-slf4j-impl-2.12.1.jar
• log4j-web-2.12.1.jar

With these files from the attached log4j-2.16.0.zip:

• log4j-1.2-api-2.16.0.jar
• log4j-api-2.16.0.jar
• log4j-core-2.16.0.jar
• log4j-jcl-2.16.0.jar
• log4j-jul-2.16.0.jar
• log4j-slf4j-impl-2.16.0.jar
• log4j-web-2.16.0.jar

5. Start SDL WorldServer Reports service

Note: In case of Jasper Reports re-deployment, please make sure to follow the above steps regarding log4j 2.x, to re-apply the patch. 
 

Customers at versions 11.7.0 and 11.7.1

Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.

1. Stop Idiom Process Monitor service
2. Go to \\WorldServer\tomcat\webapps\ws\WEB-INF\lib

Replace the following 3 files:
- log4j-1.2-api-2.13.2.jar
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jar

With these files in the attached log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar 

3. Go to \\WorldServer\tomcat\webapps\ws-api\WEB-INF\lib

Replace the following 3 files:
- log4j-1.2-api-2.13.2.jar
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jar

With these files in the attached log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar

4. Go to \\WorldServer\tomcat\webapps\ws-legacy\WEB-INF\lib

Replace the following 3 files:
- log4j-1.2-api-2.13.2.jar
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jar

With these files in the attached log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar

5. Start Idiom Process Monitor service

WAR files: We also recommend moving the WAR files from the \tomcat\webapps\ folder in a separate location to prevent unwanted expansion.

NOTE: In case you will need to re-deploy either WorldServer you will have to copy the WAR files back into \tomcat\webapps\ folder. After the re-deployment is done, please make sure you redo the steps above regarding log4j.
Also, in case of any customizations or Hotfixes previously applied, these need to be re-applied/re-installed.

 

Jasper 7.9 (installed with WorldServer 11.7.0 and 11.7.1) 

Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.

1. Stop the WorldServer Reports service
2. Go to \\Reports_home\buildomatic\conf_source\iePro\lib

Replace the following 6 files:

• log4j-1.2-api-2.13.3.jar
• log4j-api-2.13.3.jar
• log4j-core-2.13.3.jar
• log4j-jcl-2.13.3.jar
• log4j-jul-2.13.3.jar
• log4j-slf4j-impl-2.13.3.jar

With these files in the attached zip:

• log4j-1.2-api-2.16.0.jar
• log4j-api-2.16.0.jar
• log4j-core-2.16.0.jar
• log4j-jcl-2.16.0.jar
• log4j-jul-2.16.0.jar
• log4j-slf4j-impl-2.16.0.jar

3. Go to \\Reports_home\buildomatic\bin

Replace the following 4 files:

• log4j-1.2-api-2.13.3.jar
• log4j-api-2.13.3.jar
• log4j-core-2.13.3.jar
• log4j-jcl-2.13.3.jar

With these files from the attached zip:

• log4j-1.2-api-2.16.0.jar
• log4j-api-2.16.0.jar
• log4j-core-2.16.0.jar
• log4j-jcl-2.16.0.jar

4. Go to \\Reports_home\Reports\tomcat\webapps\jasperserver-pro\WEB-INF\lib

Replace the following 7 files:

• log4j-1.2-api-2.13.3.jar
• log4j-api-2.13.3.jar
• log4j-core-2.13.3.jar
• log4j-jcl-2.13.3.jar
• log4j-jul-2.13.3.jar
• log4j-slf4j-impl-2.13.3.jar
• log4j-web-2.13.3.jar

With these files from the attached log4j-2.16.0.zip:

• log4j-1.2-api-2.16.0.jar
• log4j-api-2.16.0.jar
• log4j-core-2.16.0.jar
• log4j-jcl-2.16.0.jar
• log4j-jul-2.16.0.jar
• log4j-slf4j-impl-2.16.0.jar
• log4j-web-2.16.0.jar

5. Start the WorldServer Reports service

Note: In case of Jasper Reports re-deployment, please make sure to follow the above steps regarding log4j 2.x, to re-apply the patch. 

Log4j2 is used in WorldServer. There is a critical remote code execution vulnerability for Apache Log4j2 v2.0 through v2.14.
This issue impacts all WorldServer 11 versions and the associated Report Center.

In WorldServer version 11.6.1 and 11.6.2, log4j 2.13.0 is used. In these versions, Jasper Report Server 7.5 is used
In WorldServer version 11.7.0 and 11.7.1, log4j 2.13.2 is used. In these versions, Jasper Report Server 7.9 is used
 

These articles are relevant:

Critical Apache Log4j Vulnerability in WorldServer 11.x
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.3.x to 11.5.x (included)
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.1.0, 11.1.1. and 11.2.x
Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.0.0. and 11.0.1
Are WorldServer 10.x versions affected by the critical Apache Log4j Vulnerability?