This issue is permanently fixed in WorldServer version 11.7.2 where log4j 2.17 will be used.
CVE-2021-45105: if you read the page on https://logging.apache.org/log4j/2.x/security.html, you will notice:
- Solved with upgrade to log4j 2.17
- Alternatively, this can be mitigated in configuration:
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
- Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
In WorldServer, we do not provide log configurations that include Context lookups like ${ctx:loginId} or $${ctx:loginId}. Also, it’s highly unlikely that a customer use such patterns. Therefore, we do not see the necessity to use log4j 2.17.
If you would like to upgrade your log4j file to version 2.17, you can do this yourself by following the steps below, but using the log4j 2.17 file provided by Apache. The WorldServer development team does not expect issues, but please be aware that haven't tested the usage of log4j 2.17 in WorldServer versions 11.6. to 11.7.1. If there are issues, the process is easily reversible to use 2.16 and the mitigation still applies.
FYI: CVE-2021-45105 consequences would be a stackoverflow and eventually the application would crash, but no remote code execution.
Below are the instructions for customers in previous versions.
Customers at versions 11.6.0, 11.6.1, or 11.6.2:
Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.
- Stop Idiom Process Monitor service
- Go to \\WorldServer\tomcat\webapps\ws\WEB-INF\lib
Replace the following 3 files:
- log4j-1.2-api-2.13.0.jar
- log4j-api-2.13.0.jar
- log4j-core-2.13.0.jarWith these files in the attached zip
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- Go to \\WorldServer\tomcat\webapps\ws-api\WEB-INF\lib
Replace the following 3 files:
- log4j-1.2-api-2.13.0.jar
- log4j-api-2.13.0.jar
- log4j-core-2.13.0.jarWith these files in the attached
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- Go to \\WorldServer\tomcat\webapps\ws-legacy\WEB-INF\lib
Replace the following 3 files:
- log4j-1.2-api-2.13.0.jar
- log4j-api-2.13.0.jar
- log4j-core-2.13.0.jar With these files in the attached
log4j-2.16.0.zip:- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- Start Idiom Process Monitor service
WAR files: The following should be done only after stopping the Idiom service: We also recommend moving the WAR files from the \tomcat\webapps\ folder in a separate location to prevent unwanted expansion.
NOTE: In case you will need to re-deploy either WorldServer you will have to copy the WAR files back into \tomcat\webapps\ folder. After the re-deployment is done, please make sure you redo the steps above regarding log4j.
Also, in case of any customizations or Hotfixes previously applied, these need to be re-applied/re-installed.
Jasper 7.5 (installed with WorldServer 11.6.x)
Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.
- Stop the SDL WorldServer Reports service
- Go to \\Reports_home\buildomatic\conf_source\iePro\lib
Replace the following 6 files:
- log4j-1.2-api-2.12.1.jar
- log4j-api-2.12.1.jar
- log4j-core-2.12.1.jar
- log4j-jcl-2.12.1.jar
- log4j-jul-2.12.1.jar
- log4j-slf4j-impl-2.12.1.jar
With these files in the attached
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-jcl-2.16.0.jar
- log4j-jul-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
- Go to \\Reports_home\buildomatic\target
Replace the following
4 files:
- log4j-1.2-api-2.12.1.jar
- log4j-api-2.12.1.jar
- log4j-core-2.12.1.jar
- log4j-jcl-2.12.1.jar
With these files from the attached
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-jcl-2.16.0.jar
- Go to \\Reports_home\Reports\tomcat\webapps\jasperserver-pro\WEB-INF\lib
Replace the following 7 files:
- log4j-1.2-api-2.12.1.jar
- log4j-api-2.12.1.jar
- log4j-core-2.12.1.jar
- log4j-jcl-2.12.1.jar
- log4j-jul-2.12.1.jar
- log4j-slf4j-impl-2.12.1.jar
- log4j-web-2.12.1.jar
With these files from the attached
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-jcl-2.16.0.jar
- log4j-jul-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
- log4j-web-2.16.0.jar
- Start SDL WorldServer Reports service
Note: In case of Jasper Reports re-deployment, please make sure to follow the above steps regarding log4j 2.x, to re-apply the patch.
Customers at versions 11.7.0 and 11.7.1
Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.
- Stop Idiom Process Monitor service
- Go to \\WorldServer\tomcat\webapps\ws\WEB-INF\lib
Replace the following 3 files:
- log4j-1.2-api-2.13.2.jar
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jarWith these files in the attached
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- Go to \\WorldServer\tomcat\webapps\ws-api\WEB-INF\lib
Replace the following 3 files:
- log4j-1.2-api-2.13.2.jar
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jarWith these files in the attached
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- Go to \\WorldServer\tomcat\webapps\ws-legacy\WEB-INF\lib
Replace the following 3 files:
- log4j-1.2-api-2.13.2.jar
- log4j-api-2.13.2.jar
- log4j-core-2.13.2.jarWith these files in the attached
log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- Start Idiom Process Monitor service
WAR files: We also recommend moving the WAR files from the \tomcat\webapps\ folder in a separate location to prevent unwanted expansion.
NOTE: In case you will need to re-deploy either WorldServer you will have to copy the WAR files back into \tomcat\webapps\ folder. After the re-deployment is done, please make sure you redo the steps above regarding log4j.
Also, in case of any customizations or Hotfixes previously applied, these need to be re-applied/re-installed.
Jasper 7.9 (installed with WorldServer 11.7.0 and 11.7.1)
Before replacing the files, it is advisory to create a backup copy in a different location. Most of the files are common between folders – one single copy is enough.
- Stop the WorldServer Reports service
- Go to \\Reports_home\buildomatic\conf_source\iePro\lib
Replace the following 6 files:
- log4j-1.2-api-2.13.3.jar
- log4j-api-2.13.3.jar
- log4j-core-2.13.3.jar
- log4j-jcl-2.13.3.jar
- log4j-jul-2.13.3.jar
- log4j-slf4j-impl-2.13.3.jar
With these files in the attached zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-jcl-2.16.0.jar
- log4j-jul-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
- Go to \\Reports_home\buildomatic\bin
Replace the following 4 files:
- log4j-1.2-api-2.13.3.jar
- log4j-api-2.13.3.jar
- log4j-core-2.13.3.jar
- log4j-jcl-2.13.3.jar
With these files from the attached zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-jcl-2.16.0.jar
- Go to \\Reports_home\Reports\tomcat\webapps\jasperserver-pro\WEB-INF\lib
Replace the following 7 files:
- log4j-1.2-api-2.13.3.jar
- log4j-api-2.13.3.jar
- log4j-core-2.13.3.jar
- log4j-jcl-2.13.3.jar
- log4j-jul-2.13.3.jar
- log4j-slf4j-impl-2.13.3.jar
- log4j-web-2.13.3.jar
With these files from the attached log4j-2.16.0.zip:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-jcl-2.16.0.jar
- log4j-jul-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
- log4j-web-2.16.0.jar
- Start the WorldServer Reports service
Note: In case of Jasper Reports re-deployment, please make sure to follow the above steps regarding log4j 2.x, to re-apply the patch. 
