Salesforce

Critical Apache Log4j Vulnerability in WorldServer- resolution for versions 11.0.0. and 11.0.1

« Go Back

Information

 
Article TypeSolution Article
Scope/EnvironmentSDL WorldServer
Symptoms/Context
There is a critical remote code execution vulnerability for Apache Log4j2 v2.0 through v2.14. How do we address this issue in versions 11.0.0. and 11.0.1?
Resolution

WorldServer versions 11.0.0 and WS 11.0.1, although they are using log4j 1.x, they also contain log4j 2.2 as a transitive dependency.

In order to mitigate this issue for log4j 2.2, we need to remove the JndiLookup.class from within log4j-core-2.2.jar\org\apache\logging\log4j\core\lookup\

Attached to this article, you will find a jar file with the class removed. You can either use it, or just make a copy with it removed by yourself.

You will need it to replace the existing one in the following locations:
  1. \WorldServer\tomcat\webapps\ws\WEB-INF\lib
  2. \WorldServer\tomcat\webapps\ws-api\WEB-INF\lib
Optional (recommended) is to also replace it within the war files (can be done with 7zip for example):
  1. \WorldServer\tomcat\webapps\ws.war\WEB-INF\lib\
  2. \WorldServer\tomcat\webapps\ws-api.war\WEB-INF\lib\
Important: WorldServer (Idiom Service) should be restarted after this change.

On a multi-server environment, the change and restart must be deployed on each Application Server on which WorldServer is deployed.

Note: this issue will be permanently solved in the upcoming WorldServer 11.7.2. version.
Root Cause
This issue impacts all WorldServer 11 versions. This issue does not impact WorldServer 10 deployments.
Reference
Attachment 1
Attachment 2 
Attachment 3 
Attachment 4 
Attachment 5 

Powered by