Apache Log4Shell Vulnerabilities

CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832

πŸ‘

Please follow these Instructions to resolve all 4 Log4j vulnerabilities.

Upgrade Instructions

We recommend the following partial upgrade instructions to resolve this specific issue by following these steps:

  • Retrieve the latest opsview-jasper package for your OS and Opsview version, which contains Log4j 2.17.1.
  • Install this package directly using apt/yum.
  • Run the reporting-install.yml playbook as root.
  • Verify that the Log4j versions used are 2.17.1
  • Verify that the Reports page in Monitoring > Reports loads correctly.

However, full upgrade instructions are available on From 6.4.x or later to 6.6.

🚧

Note: If the following partial upgrade steps are used, then any further upgrades to versions below 6.6.6 may revert these steps and lose the security fix. Please upgrade to version 6.6.6 or higher on your next full upgrade to retain this fix.

Step 1 - Retrieve the latest opsview-jasper package

To discover your Operating system version run:

lsb_release -a

To discover your Opsview version run:

sudo cat /opt/opsview/webapp/var/version

On RPM based operating systems:

Copy the correct package URL for your Opsview version and Operating system from the the following table:

Then paste it into the following command, and run:

wget <URL-FOR-PACKAGE> -O opsview-jasper.rpm

On Debian based operating systems:

Copy the correct package URL for your Opsview version and Operating system from the the following table:

❗️

Debian 8 is no-longer supported. If you are using Debian 8, please upgrade to Debian 10 using the following instructions Upgrade from Debian 8 to Debian 10

Then paste it into the following command, and run:

wget <URL-FOR-PACKAGE> -O opsview-jasper.deb

Step 2 - Install package

On RPM based operating systems:

sudo yum install ./opsview-jasper.rpm

On Debian based operating systems:

sudo apt install ./opsview-jasper.deb

Step 3 - Run reporting-install.yml playbook

sudo /opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/reporting-install.yml

Step 4 - Verify that Log4j versions used are 2.17.1

Run

find /opt/opsview -name "*log4j*.jar"

The output should look like the following:

/opt/opsview/jasper/apache-ant/lib/ant-apache-log4j.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/jmx-logger-log4j-0.3.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-jul-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-web-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-core-2.17.1.jar
/opt/opsview/jasper/apache-tomcat/webapps/jasperserver/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-core-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-jul-2.17.1.jar
/opt/opsview/jasper/buildomatic/conf_source/ieCe/lib/log4j-slf4j-impl-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-jcl-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-1.2-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-api-2.17.1.jar
/opt/opsview/jasper/buildomatic/lib/log4j-core-2.17.1.jar

πŸ“˜

The ant-apache-log4j.jar and jmx-logger-log4j-0.3.1.jar files make use of the shipped 2.17.1 version so should not be a cause for concern.