MotioCI - Mitigation Procedure for Log4j2 Vulnerability (CVE-2021-45046, CVE-2021-45105, CVE-2021-44228)
There are several mitigation steps that can be taken to immediately close off this vulnerability for existing MotioCI installations (see below). The mitigation steps are comprised of:
Locate the log4j-core-2.9.0.jar file under the MotioCI installation and remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the jar (using WinZip or similar).
Edit the Main Process and Worker Process log4j2.xml configuration files to disable message lookups.
Remove the jndiLookup.class from each dispatcher and CM node with the active versioning plugin installed and stop/start Cognos services.
If you have any questions or would like assistance please open a support ticket or send an email to help@motio.com and our support team will be happy to assist.
The locations of the three files involved vary by MotioCI version.
MotioCI 3.2.9 and Earlier
MotioCI 3.2.10 (FL1 through FL6)
Stop the MotioCI Service
Find the log4j-core-2.9.0.jar under your MotioCI root directory (see table above for the exact location).
Remove the org\apache\logging\log4j\core\lookup\JndiLookup.class file from this jar.
On windows:
Open this jar file in your favorite zip utility (e.g. WinZip or 7-Zip)
In the Zip utility, navigate to org\apache\logging\log4j\core\lookup
Select the JndiLookup.class
Delete this file from the zip
On Linux or Unix, use a command line tool like zip or jar to remove this file from the jar. For example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
In this step, we will edit the message pattern specified in the Main Process and Worker Process log4j2.xml files to explicitly disable message lookup.
This is done by changing a %m in the specified logging pattern to %m{nolookups}.
Using a text editor of your choice, apply the following changes to BOTH the Main Process and Worker Process log4j2.xml files (two files need to be edited). Consult the tables above for the locations of these files.
For each log4j2.xml file:
Open the file in a text editor
Locate the two lines for modification:
<PatternLayout pattern="[%X{workerPid}] [%t][%c{1}]: %m%n"/>
<PatternLayout pattern="%d %-5p [%t][%X{txId}] [%c{1}]: %m%n"/>
Change these two lines to this. NOTE that we’ve also changed the colon to a semicolon so that we’ll have a visual indicator in the logs that the change has been applied.
<PatternLayout pattern="[%X{workerPid}] [%t][%c{1}]; %m{nolookups}%n"/>
<PatternLayout pattern="%d %-5p [%t][%X{txId}] [%c{1}]; %m{nolookups}%n"/>
Save the modified file
Now we can restart the MotioCI service.
After MotioCI has restarted, download the log files from within the MotioCI. For log messages generated since the restart, each log message should now have a semicolon directly after the logger class name. For example, in the sample log messages below, there is a semicolon after [StartupListener].
2021-12-12 10:42:23,886 INFO [main] [] [StartupListener]; StartupService [com.focus.rclci.startup.LoadDatabasePropertiesStartupService] took [00:00:04.353] to complete successfully.
2021-12-12 10:42:23,887 INFO [main] [] [StartupListener]; Executing StartupService [com.focus.rclci.startup.MaintenanceStartupService]