Skip to main content

Apache Log4j Security Vulnerabilities Workaround

Abstract

Apache Log4j Security Vulnerabilities Workaround

This workaround addresses CVE-2021-45046 and CVE-2021-44228 Apache Log4j Security Vulnerabilities in PoolParty 8.1.3 and previous versions.

Note

Starting from version 8.1.4, PoolParty uses versions of Apache Log4j where these security vulnerabilities are fixed (Apache Log4j 2.16.0 in PoolParty 8.1.4 and Apache Log4j 2.17.1 in PoolParty 8.1.5). You can get the latest PoolParty version from our download area.

Workaround for Linux for PoolParty 8.0 or Later

Update the setenv.sh with an additional JAVA-OPTS parameter:

  1. Stop PoolParty.

  2. Open <poolparty.home>/tomcat/bin/setenv.sh.

  3. Insert the following lines on the top of the file:

    #!/bin/bash
    export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true”
  4. Start PoolParty.

  5. To make sure that the workaround is applied properly, check the PoolParty log files for the following line:

    <date> - <time> INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=true

Workaround for Linux for PoolParty 7.x or Earlier

Update the setenv.sh with an additional JAVA-OPTS parameter:

  1. Stop PoolParty.

  2. Open <poolparty.home>/bin/poolparty.

  3. Search for the "START_OPTS" variable and add the parameter -Dlog4j2.formatMsgNoLookups=true \ to the beginning.

    The section will look similar to the one below:

    START_OPTS="-Dlog4j2.formatMsgNoLookups=true \
    -Dfile.encoding=UTF-8 \
    -DconfigFileLocation=${UV_PropertyFile} \
    -Dorg.eclipse.rdf4j.appdata.basedir=${UV_ConfigData} \
    -Dpoolparty.configRoot=${POOLPARTY_CONFIG} \
    -Dpoolparty.Context=${TOMCAT_DESCRIPTION} \
    -Dcatalina.home=${TOMCAT_HOME} \
    ...
  4. Start PoolParty.

  5. To make sure that the workaround is applied properly, check the PoolParty log files for the following line:

    <date> - <time> INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=true

Workaround for Windows

  1. Stop PoolParty.

  2. Open <poolparty.home>/tomcat/bin/tomcat9w.exe.

  3. Navigate to the Java tab and add -Dlog4j2.formatMsgNoLookups=true to the Java Options section.

    Workaround_for_Windows.png
  4. Start PoolParty.

  5. To make sure that the workaround is applied properly, check the PoolParty log files for the following line:

    <date> - <time> INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=true