Sterling Secure Proxy Instructions for Installing Log4j 2.17.0 jars for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 JNDI Lookup Vulnerabilities 2021/12/20 This process will allow the Customer to pull down new log4j 2.17.0 jar files from Fix Central and replace their existing 2.8.2, 2.14.1, 2.15.0, or 2.16.0 jars for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. The 2.17.0 jars turn the JNDILookup feature off by default. Due to the high visibility of the vulnerability, Customers may want to simply update these jars instead of planning an upgrade at this time. Note: If you have already obtained a remediated log4j-core-2.8.2.jar or log4j-core-2.14.1.jar from Support with the JndiLookup class removed, or if you have updated your log4j jars to the 2.15.0 or above level, you are no longer vulnerable to the original Zero-Day CVE-2021-44228. APPLICABILITY The log4j toolkit is used extensively through SSP and SEAS, so the jars will need to be replaced in the Engine, SSPCM, and SEAS. All Perimeter Servers (More Secure and Less Secure) as well as SEAS2432 and older use version 1 of log4j which is NOT vulnerable to the jndi lookup problem. They will NOT need to be updated. The SSP3430 and older releases which use the 2.0.2 version of log4j CANNOT be updated with the 2.17.0 jars as described in this document. Please upgrade to a remediated copy of SSP3432, 6020, or 6030 or contact Support to request a remediated copy of the log4j-core-2.0.2.jar file. The log4j 2.17.0 jar files will be folded into the next cumulative maintenance iFixes for each supported version, including the Perimeter Servers, which are being fast-tracked to be released. STEP 1 IS DONE ONCE AND CAN BE DONE WHILE THE PRODUCT IS RUNNING. 1. Download the SSP-SEAS-log4j-2.17.0-jars-for-CVE-2021-45105.zip file from Fix Central to a work directory and extract the jar files. When moving / copying the files, be sure to move them in binary mode (not ascii or text). Contents of the zip file: log4j-api-2.17.0.jar log4j-1.2-api-2.17.0.jar log4j-core-2.17.0.jar log4j-slf4j-impl-2.17.0.jar STEPS FOR EACH INSTANCE OF THE SECURE PROXY ENGINE (SSP Engine). a. Make a backup of the target directory before you begin. Also make a backup of a set of the existing 2.8.2, 2.14.1, 2.15.0, or 2.16.0 jars in another directory. ./lib/thirdparty/log4j-1.2-api-*.jar ./lib/thirdparty/log4j-slf4j-impl-*.jar ./lib/thirdparty/log4j-api-*.jar ./lib/thirdparty/log4j-core-*.jar b. Take the target Engine instance down. c. Remove the existing log4j*.jar files from the installed location (4 files in 1 place): UNIX: cd rm ./lib/thirdparty/log4j-1.2-api-*.jar rm ./lib/thirdparty/log4j-slf4j-impl-*.jar rm ./lib/thirdparty/log4j-api-*.jar rm ./lib/thirdparty/log4j-core-*.jar Windows: cd del .\lib\thirdparty\log4j-1.2-api-*.jar del .\lib\thirdparty\log4j-slf4j-impl-*.jar del .\lib\thirdparty\log4j-api-*.jar del .\lib\thirdparty\log4j-core-*.jar d. Copy the 4 new log4j 2.17.0 files from the work directory to the installation location: UNIX: cp /*.jar ./lib/thirdparty Windows: copy \*.jar .\lib\thirdparty e. Search the install image to make sure all log4j files are 2.17.0: UNIX: find . -name "log4j*.jar" (list all matching files) Windows: Search for all "log4j*.jar" f. Windows Only: Backup the bin\SSPEngine$.lax file, then edit it Find the lax.class.path parm and change 2.8.2, 2.14.1, 2.15.0, or 2.16.0 to 2.17.0 in 4 places. g. Start the Sterling Secure Proxy Engine. h. Duplicate this process (starting with step a) for any other Engines. STEPS FOR EACH INSTANCE OF THE SECURE PROXY CONFIGURATION MANAGER (SSPCM). a. Make a backup of the target directory before you begin. Also make a backup of a set of the existing 2.8.2, 2.14.1, 2.15.0, or 2.16.0 jars in another directory. ./lib/thirdparty/log4j-1.2-api-*.jar ./lib/thirdparty/log4j-slf4j-impl-*.jar ./lib/thirdparty/log4j-api-*.jar ./lib/thirdparty/log4j-core-*.jar b. Take the target SSPCM instance down. SSP Engines will continue to run. c. Remove the existing log4j*2.*.2.jar files from the installed locations (16 files in 4 places): UNIX: cd rm ./lib/thirdparty/log4j-1.2-api-*.jar rm ./lib/thirdparty/log4j-slf4j-impl-*.jar rm ./lib/thirdparty/log4j-api-*.jar rm ./lib/thirdparty/log4j-core-*.jar rm ./apps/jetty/webservices/webapps/SSPDashboard/WEB-INF/lib/log4j-1.2-api-*.jar rm ./apps/jetty/webservices/webapps/SSPDashboard/WEB-INF/lib/log4j-slf4j-impl-*.jar rm ./apps/jetty/webservices/webapps/SSPDashboard/WEB-INF/lib/log4j-api-*.jar rm ./apps/jetty/webservices/webapps/SSPDashboard/WEB-INF/lib/log4j-core-*.jar rm ./apps/jetty/webservices/webapps/SspJsf/WEB-INF/lib/log4j-1.2-api-*.jar rm ./apps/jetty/webservices/webapps/SspJsf/WEB-INF/lib/log4j-slf4j-impl-*.jar rm ./apps/jetty/webservices/webapps/SspJsf/WEB-INF/lib/log4j-api-*.jar rm ./apps/jetty/webservices/webapps/SspJsf/WEB-INF/lib/log4j-core-*.jar rm ./apps/jetty/webservices/webapps/sspcmrest/WEB-INF/lib/log4j-1.2-api-*.jar rm ./apps/jetty/webservices/webapps/sspcmrest/WEB-INF/lib/log4j-slf4j-impl-*.jar rm ./apps/jetty/webservices/webapps/sspcmrest/WEB-INF/lib/log4j-api-*.jar rm ./apps/jetty/webservices/webapps/sspcmrest/WEB-INF/lib/log4j-core-*.jar rm ./sdk/lib/thirdparty/log4j-1.2-api-*.jar (The sdk directory may not exist) rm ./sdk/lib/thirdparty/log4j-slf4j-impl-*.jar rm ./sdk/lib/thirdparty/log4j-api-*.jar rm ./sdk/lib/thirdparty/log4j-core-*.jar Windows: cd del .\lib\thirdparty\log4j-1.2-api-*.jar del .\lib\thirdparty\log4j-slf4j-impl-*.jar del .\lib\thirdparty\log4j-api-*.jar del .\lib\thirdparty\log4j-core-*.jar del .\apps\jetty\webservices\webapps\SSPDashboard\WEB-INF\lib\log4j-1.2-api-*.jar del .\apps\jetty\webservices\webapps\SSPDashboard\WEB-INF\lib\log4j-slf4j-impl-*.jar del .\apps\jetty\webservices\webapps\SSPDashboard\WEB-INF\lib\log4j-api-*.jar del .\apps\jetty\webservices\webapps\SSPDashboard\WEB-INF\lib\log4j-core-*.jar del .\apps\jetty\webservices\webapps\SspJsf\WEB-INF\lib\log4j-1.2-api-*.jar del .\apps\jetty\webservices\webapps\SspJsf\WEB-INF\lib\log4j-slf4j-impl-*.jar del .\apps\jetty\webservices\webapps\SspJsf\WEB-INF\lib\log4j-api-*.jar del .\apps\jetty\webservices\webapps\SspJsf\WEB-INF\lib\log4j-core-*.jar del .\apps\jetty\webservices\webapps\sspcmrest\WEB-INF\lib\log4j-1.2-api-*.jar del .\apps\jetty\webservices\webapps\sspcmrest\WEB-INF\lib\log4j-slf4j-impl-*.jar del .\apps\jetty\webservices\webapps\sspcmrest\WEB-INF\lib\log4j-api-*.jar del .\apps\jetty\webservices\webapps\sspcmrest\WEB-INF\lib\log4j-core-*.jar del .\sdk\lib\thirdparty\log4j-1.2-api-*.jar (The sdk directory may not exist) del .\sdk\lib\thirdparty\log4j-slf4j-impl-*.jar del .\sdk\lib\thirdparty\log4j-api-*.jar del .\sdk\lib\thirdparty\log4j-core-*.jar d. Copy the 4 new log4j 2.17.0 files from the work directory to the installation locations (4 places): UNIX: cp /*.jar ./lib/thirdparty cp /*.jar ./apps/jetty/webservices/webapps/SSPDashboard/WEB-INF/lib cp /*.jar ./apps/jetty/webservices/webapps/SspJsf/WEB-INF/lib cp /*.jar ./apps/jetty/webservices/webapps/sspcmrest/WEB-INF/lib cp /*.jar ./sdk/lib/thirdparty (if the sdk directory exists) Windows: copy \*.jar .\lib\thirdparty copy \*.jar .\apps\jetty\webservices\webapps\SSPDashboard\WEB-INF\lib copy \*.jar .\apps\jetty\webservices\webapps\SspJsf\WEB-INF\lib copy \*.jar .\apps\jetty\webservices\webapps\sspcmrest\WEB-INF\lib copy \*.jar .\sdk\lib\thirdparty (if the sdk directory exists) e. Search the install image to make sure all log4j files are 2.17.0: UNIX: find . -name "log4j*.jar" (list all matching files) Windows: Search for all "log4j*.jar" Note: If the Customer deletes the SSPDashboard, SspJsf, or sspcmrest directories from the webapps directory, the war file(s) will automatically expand again at startup and the old log4j*.jar files will reappear. The Customer would need to reapply these changes in that case. f. Windows Only: Backup the bin\SSPCM$.lax file, then edit it Find the lax.class.path parm and change 2.8.2, 2.14.1, 2.15.0, or 2.16.0 to 2.17.0 in 4 places. g. Start the Sterling Secure Proxy CM. h. Duplicate this process (starting with step a) for any other SSPcm install locations. STEPS FOR EACH INSTANCE OF THE STERLING EXTERNAL AUTHENTICATION SERVER (SEAS). NOTE: Not needed for SEAS2432 and lower. They run a lower version of log4j which is not vulnerable to CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. NOTE: The new 2.17.0 jar files are signed with an IBM certificate which is different than the ones used in SEAS builds prior to March 2021. For these builds, the Webstart GUI may fail to start due to the mismatch in signing. If this is the case, use the startGUI utility in the bin directory. a. Make a backup of the target directory before you begin. Also make a backup of a set of the existing 2.8.2, 2.14.1, 2.15.0, or 2.16.0 jars in another directory. ./lib/thirdparty/log4j-1.2-api-*.jar ./lib/thirdparty/log4j-slf4j-impl-*.jar ./lib/thirdparty/log4j-api-*.jar ./lib/thirdparty/log4j-core-*.jar b. Take the target SEAS instance down. c. Remove the existing log4j*.jar files from the installed locations (8 files in 2 places): UNIX: cd rm ./lib/thirdparty/log4j-1.2-api-*.jar rm ./lib/thirdparty/log4j-slf4j-impl-*.jar rm ./lib/thirdparty/log4j-api-*.jar rm ./lib/thirdparty/log4j-core-*.jar rm ./conf/jetty/webservices/webapps/seasrest/WEB-INF/lib/log4j-1.2-api-*.jar rm ./conf/jetty/webservices/webapps/seasrest/WEB-INF/lib/log4j-slf4j-impl-*.jar rm ./conf/jetty/webservices/webapps/seasrest/WEB-INF/lib/log4j-api-*.jar rm ./conf/jetty/webservices/webapps/seasrest/WEB-INF/lib/log4j-core-*.jar Windows: cd del .\lib\thirdparty\log4j-1.2-api-*.jar del .\lib\thirdparty\log4j-slf4j-impl-*.jar del .\lib\thirdparty\log4j-api-*.jar del .\lib\thirdparty\log4j-core-*.jar del .\conf\jetty\webservices\webapps\seasrest\WEB-INF\lib\log4j-1.2-api-*.jar del .\conf\jetty\webservices\webapps\seasrest\WEB-INF\lib\log4j-slf4j-impl-*.jar del .\conf\jetty\webservices\webapps\seasrest\WEB-INF\lib\log4j-api-*.jar del .\conf\jetty\webservices\webapps\seasrest\WEB-INF\lib\log4j-core-*.jar d. Copy the 4 new log4j 2.17.0 files from the work directory to the installation locations (4 places): UNIX: cp /*.jar ./lib/thirdparty cp /*.jar ./conf/jetty/webservices/webapps/seasrest/WEB-INF/lib Windows: copy \*.jar .\lib\thirdparty copy \*.jar .\conf\jetty\webservices\webapps\seasrest\WEB-INF\lib e. Search the install image to make sure all log4j files are 2.17.0: UNIX: find . -name "log4j*.jar" (list all matching files) Windows: Search for all "log4j*.jar" f. Rename the seasrest.war file so that it does not repopulate the old jars UNIX: mv conf/jetty/webservices/seasrest.war conf/jetty/webservices/seasrest.war.hidden Windows: rename conf\jetty\webservices\seasrest.war seasrest.war.hidden g. Windows Only: Backup the bin\SEAS$$.lax file, then edit it Find the lax.class.path parm and change 2.8.2, 2.14.1, 2.15.0, or 2.16.0 to 2.17.0 in 4 places. Repeat for the bin\SEASGUI$.lax file. h. Backup and edit the EA_GUI.jnlp for the Webstart GUI UNIX: ./conf/jetty/docroot/webstart/EA_GUI.jnlp Windows: .\conf\jetty\docroot\webstart\EA_GUI.jnlp Change 4 log4j jar filenames from 2.8.2, 2.14.1, 2.15.0, or 2.16.0 to 2.17.0 i. Start the SEAS Instance. j. Duplicate this process (starting with step a) for any other SEAS install locations.