Apache Log4Shell Vulnerabilities
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832
Please follow these Instructions to resolve all 4 Log4j vulnerabilities.
Upgrade Instructions
We recommend the following partial upgrade instructions to resolve this specific issue by following these steps:
- Retrieve the latest
opsview-jasperpackage for your OS and Opsview version, which containsLog4j 2.17.1. - Install this package directly using
apt/yum. - Run the
reporting-install.ymlplaybook asroot. - Verify that the
Log4jversions used are2.17.1 - Verify that the Reports page in
Monitoring > Reportsloads correctly.
However, full upgrade instructions are available on From 6.4.x or later to 6.6.
Note: If the following partial upgrade steps are used, then any further upgrades to versions below 6.6.6 may revert these steps and lose the security fix. Please upgrade to version 6.6.6 or higher on your next full upgrade to retain this fix.
Step 1 - Retrieve the latest opsview-jasper package
opsview-jasper packageTo discover your Operating system version run:
lsb_release -a
To discover your Opsview version run:
sudo cat /opt/opsview/webapp/var/version
On RPM based operating systems:
Copy the correct package URL for your Opsview version and Operating system from the the following table:
Then paste it into the following command, and run:
wget <URL-FOR-PACKAGE> -O opsview-jasper.rpm
On Debian based operating systems:
Copy the correct package URL for your Opsview version and Operating system from the the following table:
Debian 8 is no-longer supported. If you are using Debian 8, please upgrade to Debian 10 using the following instructions Upgrade from Debian 8 to Debian 10
Then paste it into the following command, and run:
wget <URL-FOR-PACKAGE> -O opsview-jasper.deb
Step 2 - Install package
On RPM based operating systems:
sudo yum install ./opsview-jasper.rpm
On Debian based operating systems:
sudo apt install ./opsview-jasper.deb
Step 3 - Run reporting-install.yml playbook
reporting-install.yml playbooksudo /opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/reporting-install.yml
Step 4 - Verify that Log4j versions used are 2.17.1
Log4j versions used are 2.17.1Run
find /opt/opsview -name "*log4j*.jar"
The output should look like the following:
/opt/opsview/jasper/apache-ant/lib/ant-apache-log4j.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/jmx-logger-log4j-0.3.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-jul-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-web-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-core-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-core-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-jul-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-slf4j-impl-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-core-2.17.1.jar
The
ant-apache-log4j.jarandjmx-logger-log4j-0.3.1.jarfiles make use of the shipped 2.17.1 version so should not be a cause for concern.
Updated almost 2 years ago