...
According to Apache’s guidance, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
This setting can be implemented straight away and can be applied to the following components
- Operator Client and FSS : Add to the clientConfig.xml: <jvmOption>-Dlog4j2.formatMsgNoLookups=true</jvmOption> More information for OC and FSS
- Master Controller: Add to the mcConfig.xml: <jvmOption>-Dlog4j2.formatMsgNoLookups=true</jvmOption> More information for the MC
For all tomcat based web applications:
add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true. More information for Tomcat based applications
- Admin Interface: add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
- FewsWebServices: add the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
- DatabaseProxy: add to the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
- ArchiveServer: add to the following -D property to the JAVA_OPTS in tomcat: -Dlog4j2.formatMsgNoLookups=true
Open Archive (including Elastic Search)
In the start-up scripts (bin/elastic or bin/elastic.bat) of the Archive Server this -D option can be added.
For Elastic itself (the Open Archive catalogue), the hack is not applicable. See https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476. But they announced a new version. As soon as this is available, Deltares will provide a new package
This, however, has no impact on Delft-FEWS at all.
Log4j Upgrade to 2.15: New basebuilds will be made available for all supported Delft-FEWS versions
A Log4J upgrade is available and is necessary to prevent secruitysecurity/vulnerability-scanning tools to produce false alarms (for Delft-FEWS). This 2.15 version needs to be 'packed and distributed' with all other java code of Delft-FEWS.
...
For all other supported Delft-FEWS versions (2019.02 and higher) Deltares will provide a new base-build (+patch) in the next few days. This new base-build will contain Log4J version 2.15. If you are running an older version, please contact the Delft-FEWS helpdesk at fews.support@deltares.nl.
Update 20-12: Log4j Upgrade to 2.17: New basebuilds will be made available for all supported Delft-FEWS versions
Another vulnerability was fixed in a newly released version of Log4j. For all supported Delft-FEWS versions (2019.02 and higher) e new base-build and patch will be made available, using Log4J version 2.17. The earlier mentioned base-build with version 2.15 will not be released.
With the new base build and patch installed the scanning tools will not be flagging Log4j anymore.
If you/your organisation would like to receive the updated base-build/patch of your version, let us know! Please, send an e-mail to fews.support@deltares.nl
If you have any other question questions concerning the above, do not hesitate to contact us.
...