These docs are for v6.6. Click to read the latest docs for v6.7.


# CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832



Please follow these [Instructions](🔗) to resolve all 4 Log4j vulnerabilities.

# Upgrade Instructions

We recommend the following partial upgrade instructions to resolve this specific issue by following these steps:

  • Retrieve the latest `opsview-jasper` package for your OS and Opsview version, which contains `Log4j 2.17.1`.

  • Install this package directly using `apt`/`yum`.

  • Run the `reporting-install.yml` playbook as `root`.

  • Verify that the `Log4j` versions used are `2.17.1`

  • Verify that the Reports page in `Monitoring > Reports` loads correctly.

However, full upgrade instructions are available on [From 6.4.x or later to 6.6](🔗).



Note: If the following partial upgrade steps are used, then any further upgrades to versions below 6.6.6 may revert these steps and lose the security fix. Please upgrade to version 6.6.6 or higher on your next full upgrade to retain this fix.

## Step 1 - Retrieve the latest `opsview-jasper` package

To discover your Operating system version run:



To discover your Opsview version run:



### On RPM based operating systems:

Copy the correct package URL for your Opsview version and Operating system from the the following table:

Operating systemOpsview versionURL for package
RHEL 86.6.xhttps://downloads.opsview.com/opsview-commercial/6.6/yum/rhel/8/x86_64/opsview-jasper-6.6.6.202201061753-1.el8.noarch.rpm

6.5.xhttps://downloads.opsview.com/opsview-commercial/6.5/yum/rhel/8/x86_64/opsview-jasper-6.5.8.202201061757-1.el8.noarch.rpm
Centos 7, OL7, RHEL76.6.xhttps://downloads.opsview.com/opsview-commercial/6.6/yum/rhel/7/x86_64/opsview-jasper-6.6.6.202201061753-1.ct7.noarch.rpm

6.5.xhttps://downloads.opsview.com/opsview-commercial/6.5/yum/rhel/7/x86_64/opsview-jasper-6.5.8.202201061757-1.ct7.noarch.rpm

6.4.xhttps://downloads.opsview.com/opsview-commercial/6.4/yum/rhel/7/x86_64/opsview-jasper-6.4.32.202201061757-1.ct7.noarch.rpm

Then paste it into the following command, and run:



### On Debian based operating systems:

Copy the correct package URL for your Opsview version and Operating system from the the following table:

Operating systemOpsview versionURL for package
Ubuntu 206.6.xhttps://downloads.opsview.com/opsview-commercial/6.6/apt/pool/main/o/opsview-jasper/opsview-jasper_6.6.6.202201061753-1focal1_all.deb

6.5.xhttps://downloads.opsview.com/opsview-commercial/6.5/apt/pool/main/o/opsview-jasper/opsview-jasper_6.5.8.202201061757-1focal1_all.deb
Ubuntu 186.6.xhttps://downloads.opsview.com/opsview-commercial/6.6/apt/pool/main/o/opsview-jasper/opsview-jasper_6.6.6.202201061753-1bionic1_all.deb

6.5.xhttps://downloads.opsview.com/opsview-commercial/6.5/apt/pool/main/o/opsview-jasper/opsview-jasper_6.5.8.202201061757-1bionic1_all.deb

6.4.xhttps://downloads.opsview.com/opsview-commercial/6.4/apt/pool/main/o/opsview-jasper/opsview-jasper_6.4.32.202201061757-1bionic1_all.deb
Debian 106.6.xhttps://downloads.opsview.com/opsview-commercial/6.6/apt/pool/main/o/opsview-jasper/opsview-jasper_6.6.6.202201061753-1buster1_all.deb



Debian 8 is no-longer supported. If you are using Debian 8, please upgrade to Debian 10 using the following instructions [Upgrade from Debian 8 to Debian 10](🔗)

Then paste it into the following command, and run:



## Step 2 - Install package

On RPM based operating systems:



On Debian based operating systems:



## Step 3 - Run `reporting-install.yml` playbook



## Step 4 - Verify that `Log4j` versions used are `2.17.1`

Run



The output should look like the following:





The `ant-apache-log4j.jar` and `jmx-logger-log4j-0.3.1.jar` files make use of the shipped 2.17.1 version so should not be a cause for concern.