CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 Log4j Response

UPDATE 04/11/2022:

Instructions added to patch the WAR files pre-deployment.

 


 

UPDATE 01/20/2022:

Moogsoft Enterprise v8.1.0.3 and v8.0.0.10 is now available and includes Log4j v2.17.1.

  • MOOG-17453: Log4j has been upgraded to version 2.17.1 to mitigate against CVE-2021-44832

  • MOOG-17456: Upgrade to Elasticsearch 6.8.23 to mitigate against CVE-2021-44832

The complete release notes can be found here.

Please follow the relevant patch instructions for your installation type.

 


 

UPDATE 01/19/2022:

An additional step has been added to the patch instructions to cover the jar files associated with the Bridge and Broker processes. Please review the relevant subsections to ensure your system is completely patched.

 


 

UPDATE 12/23/2021:

Moogsoft Enterprise v8.1.0.2 (replaces v8.1.0.1) and v8.0.0.9 (replaces v8.0.0.8) is now available and includes the following fix:

  • MOOG-17448: Upgrade to log4j v2.17 and Elasticsearch v6.8.22 to address a log4j RCE exploit.

Deployments running on Moogsoft Enterprise versions prior to v8.x should contact Moogsoft Support.

 


 

UPDATE 12/17/2021:

NOTE: Users should install v8.1.0.2 or v8.0.0.9 as these packages replace v8.1.0.1 and v8.0.0.8.

A patch has been created (v8.1.0.1 and v8.0.0.8) and posted to the Speedy repository. A version upgrade is not required to mitigate this vulnerability, provided the instructions below have been followed, and the mitigation steps applied.

Moogsoft Hosted or Hybrid Environments

Please raise a ticket through the Support Portal to request your hosted environment to be upgraded, should you wish to upgrade.

As of December 17, 2021, all relevant mitigation steps provided below, excluding product version upgrades, have been applied to the Moogsoft hosted portion of your environments.

On-premise Installation Customers

Please follow the relevant patch instructions for your installation type.

The release notes can be found here.

 


 

UPDATE 12/16/2021:

Updated instructions to complement the instructions already provided, stripping the offending class from Enterprise components follow.

 

Moogsoft Hosted Environments

For environments hosted by Moogsoft, mitigation steps 1-3 and 5 have been completed, with the remaining steps to be completed on or before 12/17/2021.

Moogsoft Hybrid SaaS/On-premise Environments

Please see the statement above, found under "Moogsoft Hosted Environments," for the status of the Moogsoft-hosted portion of your environment. Please see the statement below, found under "On-premise Installation Customers," for any steps that must be taken to secure the on-premise portion of your environment.

On-premise Installation Customers

Background

These instructions provide the mitigation steps required to protect an existing installation of Enterprise 6.5.x (and higher) against the recent critical log4j RCE vulnerabilities CVE-2021-44228 and CVE-2021-45046.

Important Note: Enterprise versions 6.4.x and below are not affected by this vulnerability.

Enterprise 7.1.x, 7.2.x, 7.3.x, 8.x RPM Installations:

Assumptions:

  • MOOGSOFT_HOME env var set (usually /usr/share/moogsoft)

  • APPSERVER_HOME env var set (usually /usr/share/apache-tomcat)

Steps:

  1. [Applicable on all servers where any moogsoft packages are installed] Patch the logging configuration scripts to disable lookups (applies immediately to all Moogsoft applications)

    1 2 cd $MOOGSOFT_HOME/config/logging grep -rl "%message" | xargs sed -i 's/%message/%message{nolookups}/g'
  2. [Applicable on all servers where any moogsoft packages are installed] Patch Moogsoft application launcher scripts to include the "-Dlog4j2.formatMsgNoLookups=true" option (applies after application restart)

    1 2 cd $MOOGSOFT_HOME/bin grep -rl "Dlog4j.configurationFile" | xargs sed -i 's/-Dlog4j.configurationFile/-Dlog4j2.formatMsgNoLookups=true -Dlog4j.configurationFile/g'
  3. [Applicable on all servers where moogsoft ui packages are installed] Patch tomcat environment script to include the "-Dlog4j2.formatMsgNoLookups=true" option (will create env file if does not already exist and applies after application restart)

    1 2 cd $APPSERVER_HOME echo 'JAVA_OPTS+=" -Dlog4j2.formatMsgNoLookups=true"' >> bin/setenv.sh
  4. [Applicable on all servers where any moogsoft packages are installed] Patch Moogsoft and Elasticsearch log4j-core jars to remove JndiLookup class - requires zip utility!!! (applies after restart)

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 if command -v zip; then for FILE in \ $MOOGSOFT_HOME/lib/cots/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/graze/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/integrations-controller/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/moogpoller/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/moogsvr/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/situation_similarity/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/toolrunner/WEB-INF/lib/log4j-core-2.11.0.jar \ /usr/share/elasticsearch/lib/log4j-core-2.9.1.jar \ /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar do if [ -f "${FILE}" ]; then FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE}) echo -n "Patching jar ${FILE}..." zip -q -d ${FILE} org/apache/logging/log4j/core/lookup/JndiLookup.class chown ${FILE_OWNERSHIP} ${FILE} echo "done" else echo "File ${FILE} does not exist" fi done else echo "Unable to patch jars - zip utility does not exist or not in path" fi
  5. [Applicable on all 7.3.x and 8.x servers where moogsoft-ui packages or remote brokers are installed] Patch moogsoft bridge and broker jars to remove JndiLookup class from embedded log4j-core jar
    Note: Requires jar and zip utilities on path. The changes will apply only after application restart.

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 #Assumes jar and zip in path and MOOGSOFT_HOME set if [ -x "$(command -v jar)" ] && [ -x "$(command -v zip)" ]; then   for FILE in \  $MOOGSOFT_HOME/lib/moogsoft_bridge-1.0.0.jar \  $MOOGSOFT_HOME/lib/moogsoft-broker-1.1.0.jar  do    if [ -f "${FILE}" ]; then      FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE})      echo -n "Patching jar ${FILE}..."      TMP_PATH=$(mktemp -d)      cd ${TMP_PATH}      jar -xf ${FILE} >/dev/null      zip -q -d BOOT-INF/lib/log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class      jar -cvf0M ${FILE} . > /dev/null      cd; rm -rf ${TMP_PATH}      chown ${FILE_OWNERSHIP} ${FILE}      echo "done"    else      echo "File ${FILE} does not exist"    fi    done else  echo "Unable to find one or both of \"jar\" or \"zip\" in path" fi

    Note: Dependent on what is installed the script may not find both the bridge and broker jars.

  6. [Applicable on all servers where moogsoft search package is installed] Patch Elasticsearch jvm options (applies after application restart)

    1 echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options
  7. Restart all Moogsoft services (including Tomcat) and Elasticsearch.

Enterprise 7.1.x, 7.2.x, 7.3.x, 8.x Tarball Installations:

Assumptions:

  • MOOGSOFT_HOME env var set

Steps:

  1. [Applicable on all servers where moogsoft is installed] Patch the logging configuration scripts to disable lookups (applies immediately to all Moogsoft applications)

    1 2 cd $MOOGSOFT_HOME/config/logging grep -rl "%message" | xargs sed -i 's/%message/%message{nolookups}/g'
  2. [Applicable on all servers where moogsoft is installed] Patch Moogsoft application launcher scripts to include the "-Dlog4j2.formatMsgNoLookups=true" option (applies after application restart)

    1 2 cd $MOOGSOFT_HOME/bin grep -rl "Dlog4j.configurationFile" | xargs sed -i 's/-Dlog4j.configurationFile/-Dlog4j2.formatMsgNoLookups=true -Dlog4j.configurationFile/g'
  3. [Applicable on all servers where moogsoft is installed] Patch Moogsoft and Elasticsearch log4j-core jars to remove JndiLookup class - requires zip utility!!! (applies after restart)

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 if command -v zip; then for FILE in \ $MOOGSOFT_HOME/lib/cots/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/graze/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/integrations-controller/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/moogpoller/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/moogsvr/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/situation_similarity/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/toolrunner/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/elasticsearch/lib/log4j-core-2.9.1.jar \ $MOOGSOFT_HOME/cots/elasticsearch/lib/log4j-core-2.11.1.jar do if [ -f "${FILE}" ]; then FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE}) echo -n "Patching jar ${FILE}..." zip -q -d ${FILE} org/apache/logging/log4j/core/lookup/JndiLookup.class chown ${FILE_OWNERSHIP} ${FILE} echo "done" else echo "File ${FILE} does not exist" fi done else echo "Unable to patch jars - zip utility does not exist or not in path" fi
  4. [Applicable on all 7.3.x and 8.x servers where moogsoft-ui packages or remote brokers are installed] Patch moogsoft bridge and broker jars to remove JndiLookup class from embedded log4j-core jar
    Note: Requires jar and zip utilities on path. The changes will apply only after application restart.

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 #Assumes jar and zip in path and MOOGSOFT_HOME set if [ -x "$(command -v jar)" ] && [ -x "$(command -v zip)" ]; then   for FILE in \  $MOOGSOFT_HOME/lib/moogsoft_bridge-1.0.0.jar \  $MOOGSOFT_HOME/lib/moogsoft-broker-1.1.0.jar  do    if [ -f "${FILE}" ]; then      FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE})      echo -n "Patching jar ${FILE}..."      TMP_PATH=$(mktemp -d)      cd ${TMP_PATH}      jar -xf ${FILE} >/dev/null      zip -q -d BOOT-INF/lib/log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class      jar -cvf0M ${FILE} . > /dev/null      cd; rm -rf ${TMP_PATH}      chown ${FILE_OWNERSHIP} ${FILE}      echo "done"    else      echo "File ${FILE} does not exist"    fi    done else  echo "Unable to find one or both of \"jar\" or \"zip\" in path" fi

    Note: Dependent on what is installed the script may not find both the bridge and broker jars.

  5. [Applicable on all servers where elasticsearch runs] Patch Elasticsearch jvm options (applies after application restart)

    1 echo "-Dlog4j2.formatMsgNoLookups=true" >> $MOOGSOFT_HOME/cots/elasticsearch/config/jvm.options
  6. Restart all Moogsoft processes (including Tomcat) and Elasticsearch

Enterprise 6.5.x and 7.0.x RPM Installations:

Assumptions:

  • MOOGSOFT_HOME env var set (usually /usr/share/moogsoft)

  • APPSERVER_HOME env var set (usually /usr/share/apache-tomcat)

Steps:

  1. [Applicable on all servers where any moogsoft packages are installed] Patch Moogsoft application launcher scripts to include the "-Dlog4j2.formatMsgNoLookups=true" option (applies after application restart)

    1 2 cd $MOOGSOFT_HOME/bin grep -rl "\-XX:+UseThreadPriorities" | xargs sed -i 's/-XX:+UseThreadPriorities/-Dlog4j2.formatMsgNoLookups=true -XX:+UseThreadPriorities/g'
  2. [Applicable on all servers where moogsoft ui packages are installed] Patch tomcat environment script to include the "-Dlog4j2.formatMsgNoLookups=true" option (will create env file if does not already exist and applies after application restart)

    1 2 cd $APPSERVER_HOME echo 'JAVA_OPTS+=" -Dlog4j2.formatMsgNoLookups=true"' >> bin/setenv.sh
  3. [Applicable on all servers where any moogsoft packages are installed] Patch Moogsoft and Elasticsearch log4j-core jars to remove JndiLookup class - requires zip utility!!! (applies after restart)

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 if command -v zip; then for FILE in \ $MOOGSOFT_HOME/lib/cots/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/events/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/graze/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/integrations-controller/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/moogpoller/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/moogsvr/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/situation_similarity/WEB-INF/lib/log4j-core-2.11.0.jar \ $APPSERVER_HOME/webapps/toolrunner/WEB-INF/lib/log4j-core-2.11.0.jar \ /usr/share/elasticsearch/lib/log4j-core-2.9.1.jar do if [ -f "${FILE}" ]; then FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE}) echo -n "Patching jar ${FILE}..." zip -q -d ${FILE} org/apache/logging/log4j/core/lookup/JndiLookup.class chown ${FILE_OWNERSHIP} ${FILE} echo "done" else echo "File ${FILE} does not exist" fi done else echo "Unable to patch jars - zip utility does not exist or not in path" fi
  4. [Applicable on all servers where moogsoft search package is installed] Patch Elasticsearch jvm options (applies after application restart)

    1 echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options
  5. Restart all Moogsoft services (including Tomcat) and Elasticsearch.

Enterprise 6.5.x and 7.0.x Tarball Installations:

Assumptions:

  • MOOGSOFT_HOME env var set

Steps:

  1. [Applicable on all servers where moogsoft is installed] Patch Moogsoft application launcher scripts to include the "-Dlog4j2.formatMsgNoLookups=true" option (applies after application restart)

    1 2 cd $MOOGSOFT_HOME/bin grep -rl "Dlog4j.configurationFile" | xargs sed -i 's/-Dlog4j.configurationFile/-Dlog4j2.formatMsgNoLookups=true -Dlog4j.configurationFile/g'
  2. Applicable on all servers where moogsoft is installed] Patch Moogsoft and Elasticsearch log4j-core jars to remove JndiLookup class - requires zip utility!!! (applies after restart)

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 if command -v zip; then for FILE in \ $MOOGSOFT_HOME/lib/cots/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/events/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/graze/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/moogpoller/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/moogsvr/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/situation_similarity/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/apache-tomcat/webapps/toolrunner/WEB-INF/lib/log4j-core-2.11.0.jar \ $MOOGSOFT_HOME/cots/elasticsearch/lib/log4j-core-2.9.1.jar do if [ -f "${FILE}" ]; then FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE}) echo -n "Patching jar ${FILE}..." zip -q -d ${FILE} org/apache/logging/log4j/core/lookup/JndiLookup.class chown ${FILE_OWNERSHIP} ${FILE} echo "done" else echo "File ${FILE} does not exist" fi done else echo "Unable to patch jars - zip utility does not exist or not in path" fi
  3. [Applicable on all servers where elasticsearch runs] Patch Elasticsearch jvm options (applies after application restart)

    1 echo "-Dlog4j2.formatMsgNoLookups=true" >> $MOOGSOFT_HOME/cots/elasticsearch/config/jvm.options
  4. Restart all Moogsoft processes (including Tomcat) and Elasticsearch

Enterprise 6.4.x and Lower RPM Installations:

Moogsoft AIOps version 6.4.0.x and lower are not impacted by this vulnerability. No actions need to be taken for Moogsoft processes. Elasticsearch must still be patched.

These steps are only applicable to servers that have Elasticsearch installed.

Assumptions:

  • MOOGSOFT_HOME env var set (usually /usr/share/moogsoft)

  • APPSERVER_HOME env var set (usually /usr/share/apache-tomcat)

Steps:

  1. Remove the JndiLookup.class

    • 1 2 3 4 5 6 7 8 9 10 11 12 13 14 if command -v zip; then FILE='/usr/share/elasticsearch/lib/log4j-core-2.9.1.jar' if [ -f "${FILE}" ]; then FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE}) echo -n "Patching jar ${FILE}..." zip -q -d ${FILE} org/apache/logging/log4j/core/lookup/JndiLookup.class chown ${FILE_OWNERSHIP} ${FILE} echo "done" else echo "File ${FILE} does not exist" fi else echo "Unable to patch jars - zip utility does not exist or not in path" fi
  2. Patch Elasticsearch jvm options (applies after application restart)

    1 echo "-Dlog4j2.formatMsgNoLookups=true" >> /etc/elasticsearch/jvm.options
  3. Restart Elasticsearch.

Enterprise 6.4.x and Lower Tarball Installations:

Moogsoft AIOps version 6.4.0.x and lower are not impacted by this vulnerability. No actions need to be taken for Moogsoft processes. Elasticsearch must still be patched.

These steps are only applicable to servers that have Elasticsearch installed.

Assumptions:

  • MOOGSOFT_HOME env var set

Steps:

  1. Remove the JndiLookup.class

    • 1 2 3 4 5 6 7 8 9 10 11 12 13 14 if command -v zip; then FILE='$MOOGSOFT_HOME/cots/elasticsearch/lib/log4j-core-2.9.1.jar' if [ -f "${FILE}" ]; then FILE_OWNERSHIP=$(stat -c '%U:%G' ${FILE}) echo -n "Patching jar ${FILE}..." zip -q -d ${FILE} org/apache/logging/log4j/core/lookup/JndiLookup.class chown ${FILE_OWNERSHIP} ${FILE} echo "done" else echo "File ${FILE} does not exist" fi else echo "Unable to patch jars - zip utility does not exist or not in path" fi
  2. Patch Elasticsearch jvm options (applies after application restart)

    1 echo "-Dlog4j2.formatMsgNoLookups=true" >> $MOOGSOFT_HOME/cots/elasticsearch/config/jvm.options
  3. Restart Elasticsearch.

Mitigation Steps for .war files RPM Installation:

  1. Check for the JndiLookup class in the below folder.

    1. 1 grep -r "JndiLookup" $MOOGSOFT_HOME/lib/
    2. output should be like this.
      Binary file /usr/share/moogsoft/lib/integrations-controller.war matches

  2. Check the md5 checksum before any changes

    1. 1 2 md5sum $MOOGSOFT_HOME/lib/integrations-controller.war d55ab69e17cb03373d7be6b76a18655b  /usr/share/moogsoft/lib/integrations-controller.war
  3. Create another directory and copy founded .war files into that for the backup

    1. 1 2 3 mkdir -p /home/centos/log4j cd /home/centos/log4j cp $MOOGSOFT_HOME/lib/integrations-controller.war /home/centos/log4j/
  4. Unzip existing .war file and find the impacted .jar from this.

    1. 1 2 unzip integrations-controller.war grep -r "JndiLookup" *
    2. Output should be like this.
      Binary file integrations-controller.war matches
      Binary file WEB-INF/lib/log4j-core-2.11.0.jar matches
      Binary file WEB-INF/lib/spring-context-5.2.5.RELEASE.jar matches

  5. Find the impacted class [JndiLookup] from both the JAR files.

    1. 1 jar -tvf WEB-INF/lib/spring-context-5.2.5.RELEASE.jar | grep JndiLookup
    2. Output should be like this.

      1 2 571 Tue Mar 24 11:25:28 UTC 2020 org/springframework/jndi/JndiLookupFailureException.class 2616 Tue Mar 24 11:25:28 UTC 2020 org/springframework/ejb/config/JndiLookupBeanDefinitionParser.class
    3. check another .jar file.

      1. 1 jar -tvf WEB-INF/lib/log4j-core-2.11.0.jar | grep JndiLookup
      2. Output should be like this.
        2937 Sun Mar 11 15:43:52 UTC 2018 org/apache/logging/log4j/core/lookup/JndiLookup.class

  6. the second .jar [log4j-core-2.11.0.jar] which has the impacted class, so will remove impacted class from that file.

    1. 1 zip -d WEB-INF/lib/log4j-core-2.11.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  7. Verify class removed successfully, output should be blank this time.

    1. 1 jar -tvf WEB-INF/lib/log4j-core-2.11.0.jar | grep JndiLookup
  8. Update the .war file

    1. 1 zip -u integrations-controller.war
    2. Output should be like this.
      updating: WEB-INF/lib/ (stored 0%)
      updating: WEB-INF/lib/log4j-core-2.11.0.jar (deflated 11%)

  9. Provide the required permissions

    1. 1 chown moogsoft:moogsoft /home/centos/log4j/integrations-controller.war
  10. Replace updated .war on the lib folder.

    1. 1 2 cp /usr/share/moogsoft/lib/integrations-controller.war /usr/share/moogsoft/lib/integrations-controller.war_old cp /home/centos/log4j/integrations-controller.war /usr/share/moogsoft/lib/
  11. Check the md5 checksum after the changes

    1. 1 md5sum /usr/share/moogsoft/lib/integrations-controller.war
    2. Output should be like this.
      6742376cfb4da86ec3433635934a853a  /usr/share/moogsoft/lib/integrations-controller.war

  12. Rebuild the UI

    1. 1 2 cd /usr/share/moogsoft/bin/utils ./moog_init_ui.sh -w

FAQs:

  1. Where can I see the messages that were previously posted?

  2. Can I update my Enterprise system to use the patched Log4j v2.16?

    • Patched versions 8.1.0.8 and 8.0.0.8 have been released (Dec 17, 2021).

    • A version upgrade is not required to mitigate CVE-2021-44228 and CVE-2021-45046, provided the mitigation steps in this document have been followed and applied.

  3. Will versions <v8.0.x receive a patch?

    • The mitigation steps provided above eliminate the vulnerability in your version of the product

    • Versions prior to v8.0.x are out of support and will not receive a product patch that includes v2.16 Log4j at this time.

    • Please upgrade to a supported version of Moogsoft Enterprise to receive the patched version of the Log4j library.

  4. Are these fix steps applicable to dedicated database servers?

    • While a dedicated database server should never run additional processes (i.e. LAMs, Moogfarmd, Tomcat), for consistency, we do recommend the mitigation steps above be applied to all servers in an Enterprise environment.

    • Should the above mitigation steps be applied to a dedicated database host, MySQL/Percona does not need to be restarted.

  5. My instance was patched and UI integrations were restarted. The flag"-Dlog4j2.formatMsgNoLookups=true" is not shown as an argument.

    • This is expected. UI integrations will not feature this flag as an argument.

  6. Do I need to upgrade my OpenJDK version to mitigate CVE-2021-44228 and CVE-2021-45046?

    • At this time, an upgrade of OpenJDK is not required to mitigate CVE-2021-44228 and CVE-2021-45046.

  7. Do I need to upgrade my Apache-Tomcat version to mitigate CVE-2021-44228 and CVE-2021-45046?

    • At this time, an upgrade of Apache-Tomcat is not required to mitigate CVE-2021-44228 and CVE-2021-45046.

  8. How can I verify the argument fix is applied to my Bridge process? 

    • 1 2 3 [moogsoft@aiops80-t-bridge ~]$ ps -ef | grep -i bridge | grep formatMsg moogsoft 2615 1 30 16:08 ? 00:00:12 /opt/moogsoft/cots /openjdk-11.0.9.1_1/bin/java -Dlog4j2.formatMsgNoLookups=true -Dlog4j.configurationFile=/opt/moogsoft/config/logging/moogsoft_bridge.log.json -DMoogsoftLogFilename=/opt/moogsoft/log/moogsoft_bridge.log -jar /opt/moogsoft/lib/moogsoft_bridge-1.0.0.jar
  9. How can I upgrade Elasticsearch to 6.8.22 manually?

    • 1 2 3 4 systemctl stop elasticsearch rpm -Uvh --nodeps https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.22.rpm systemctl daemon-reload systemctl start elasticsearch
  10. Will you be releasing a patch including Log4j v2.17.1?

    • In order to mitigate CVE-2021-44832, inclusion of v2.17.1 Log4j within Moogsoft's packages is planned.

    • Continue to watch this page for an update regarding its release.