Apache Log4Shell Vulnerabilities
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832
Please follow these Instructions to resolve all 4 Log4j vulnerabilities.
Upgrade Instructions
We recommend the following partial upgrade instructions to resolve this specific issue by following these steps:
- Retrieve the latest
opsview-jasper
package for your OS and Opsview version, which containsLog4j 2.17.1
. - Install this package directly using
apt
/yum
. - Run the
reporting-install.yml
playbook asroot
. - Verify that the
Log4j
versions used are2.17.1
- Verify that the Reports page in
Monitoring > Reports
loads correctly.
However, full upgrade instructions are available on From 6.4.x or later to 6.6.
Note: If the following partial upgrade steps are used, then any further upgrades to versions below 6.6.6 may revert these steps and lose the security fix. Please upgrade to version 6.6.6 or higher on your next full upgrade to retain this fix.
Step 1 - Retrieve the latest opsview-jasper
package
opsview-jasper
packageTo discover your Operating system version run:
lsb_release -a
To discover your Opsview version run:
sudo cat /opt/opsview/webapp/var/version
On RPM based operating systems:
Copy the correct package URL for your Opsview version and Operating system from the the following table:
Then paste it into the following command, and run:
wget <URL-FOR-PACKAGE> -O opsview-jasper.rpm
On Debian based operating systems:
Copy the correct package URL for your Opsview version and Operating system from the the following table:
Debian 8 is no-longer supported. If you are using Debian 8, please upgrade to Debian 10 using the following instructions Upgrade from Debian 8 to Debian 10
Then paste it into the following command, and run:
wget <URL-FOR-PACKAGE> -O opsview-jasper.deb
Step 2 - Install package
On RPM based operating systems:
sudo yum install ./opsview-jasper.rpm
On Debian based operating systems:
sudo apt install ./opsview-jasper.deb
Step 3 - Run reporting-install.yml
playbook
reporting-install.yml
playbooksudo /opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/reporting-install.yml
Step 4 - Verify that Log4j
versions used are 2.17.1
Log4j
versions used are 2.17.1
Run
find /opt/opsview -name "*log4j*.jar"
The output should look like the following:
/opt/opsview/jasper/apache-ant/lib/ant-apache-log4j.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/jmx-logger-log4j-0.3.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-jul-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-web-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-core-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-core-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-jul-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-slf4j-impl-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-core-2.17.1.jar
The
ant-apache-log4j.jar
andjmx-logger-log4j-0.3.1.jar
files make use of the shipped 2.17.1 version so should not be a cause for concern.
Updated almost 2 years ago