-
Notifications
You must be signed in to change notification settings - Fork 16
Apache Log4j2 Vulnerability (CVE 2021 44228, CVE 2021 45046, CVE 2021 45105)
Before version 1.7.24, personium-core has dependencies depending on Log4j2 which contains vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105).
There are 2 approaches for avoiding this vulnerabilities.
- Update personium-core version to above 1.7.23.
- Set JVM options disabling Log4j2 looking up.
This guide shows you how to set JVM options.
Personium is launched as Tomcat Web App. So, you can set personium-core JVM option by configuring Tomcat.
You can use commands below on AP server. (The value $TOMCAT_HOME depends on your configuration. In case you used ansible to construct Personium, TOMCAT_HOME is /opt/tomcat).
cd $TOMCAT_HOME/bin
cp setenv.sh{,.bk}
echo 'export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"' >> setenv.sh
systemctl restart tomcatIn ES server instance, you have to configure JVM option, too.
To set elasticsearch JVM options, you can use below commands on ES server. (The value $ELASTICSEARCH_HOME depends on your configuration. In case you used ansible to construct Personium, ELASTICSEARCH_HOME is /opt/elasticsearch-6.6.1).
cd $ELASTICSEASRCH_HOME/config
echo "-Dlog4j2.formatMsgNoLookups=true" | sudo tee -a jvm.options
sudo systemctl restart elasticsearch- Announsement in Elastic forum: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
- Announcement by Tomcat: https://lists.apache.org/thread/nrkjdxr5qqz1wwog1sf80wdklmg5wnkx
- Announcement by ActiveMQ: https://activemq.apache.org/news/cve-2021-44228