Skip to main content
Skip table of contents

Mitigation for CVE-2021-44228 - critical vulnerability in log4j

What is CVE-2021-44228 ("Log4Shell")?

In December 2021, a critical security vulnerability CVE-2021-4428 in the open-source Java logging library log4j was identified and published. This vulnerability could allow for arbitrary code execution and has been reported to be actively exploited by several software providers and the BSI. For detailed, up-to-date information, please see the BSI log4j press statement as well as the BSI publication on detection and reaction.

Is LUY affected by log4Shell?

Our investigations on our latest LUY versions 7.2.0, 7.2.1, 7.2.2 and 7.3.0 have found that those LUY versions make use of the log4j versions which are affected by the CVE-2021-44228 vulnerability. 

Update on CVE-2021-45046 (15.12.2021):

As stated by apache.org, in some cases the mitigation to enable formatMsgNoLookups is not sufficient (known as CVE-2021-45046). This is the case for some logging configuration that use a non-default pattern layout. According to our investigations, LUY does not make use of those logging patterns per default, therefore no additional mitigation measures are necessary apart from those described below.

Update on CVE-2021-45105 (20.12.2021):

As stated by apache.org, other cases were found where the mitigation to enable formatMsgNoLookups is not sufficient (known as CVE-2021-45105). This is the case for some logging configuration that use a non-default pattern layout. According to our investigations, LUY does not make use of those logging patterns per default, therefore no additional mitigation measures are necessary apart from those described below. 

Update on CVE-2021-44832 (29.12.2021):

As stated by apache.org, other cases were found where the mitigation to enable formatMsgNoLookups is not sufficient (known as CVE-2021-44832). This is the case for some logging configuration that use a JDBC appender. According to our investigations, LUY does not make use of those JDBC appenders per default, therefore no additional mitigation measures are necessary apart from those described below. 

Mitigation measures

We urge all on premise customers to upgrade with the corresponding hotfix version (see release notes). No further mitigation steps are necessary.

If you cannot update right now, we highly recommend implementing the mitigation steps described below as soon as possible!

For mitigation, you have to enable formatMsgNoLookups. In the following, we describe all mitigation steps required for different setups of LUY.

Mitigation for LUY on-premise installations

To mitigate this vulnerability on your local LUY instance, a flag needs to be added to the Java process:

  1. Stop your Tomcat instance 

  2. Go to your Tomcat installation folder 

  3. Open the folder "bin"

  4. Check or create the file "setenv.bat" for Windows and "setenv.sh" for Linux

  5. Add the following line to the newly created or already existing files:
    "setenv.bat": set JAVA_OPTS=%JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true

    "setenv.sh": JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

  6. Save the file

  7. Restart your Tomcat instance 

  8. Check if the following entry has been written to the "catalina.log": -Dlog4j2.formatMsgNoLookups=true

Mitigation for Tomcat on Windows

To mitigate this vulnerability if you Tomcat is installed as a Windows-service please follow these steps:

  1. Stop your Tomcat instance

  2. Go to your Tomcat installation folder

  3. Open the folder "bin"

  4. Execute the Tomcat Service Manager Tomcat9w.exe

  5. Go to the tab "Java"

  6. Add a new line to the field "Java Options" with the following content: "-Dlog4j2.formatMsgNoLookups=true"

  7. Press "Ok" button to save the settings

  8. Start your Tomcat instance

  9. Check if the following entry has been written to the "catalina.log": -Dlog4j2.formatMsgNoLookups=true

Mitigation for LUY Docker containers 

To mitigate this vulnerability with LUY Docker container, a flag for the Java process needs to be added to the "luy.yml" file:

  1. Stop your Docker container 

  2. Open the "luy.yml" file

  3. Add the following flag "-Dlog4j2.formatMsgNoLookups=true" to the line "CATALINA_OPTS": -CATALINA_OPTS=-Xmx2g -Duser.timezone=Europe/Berlin -Dlog4j2.formatMsgNoLookups=true

  4. Start your Docker container

  5. Check if the following entry has been written to the "catalina.log": -Dlog4j2.formatMsgNoLookups=true

In case of any questions, please contact our LUY service desk

Change log

Please note that the information situation is highly dynamic. We will continue to update this article as new relevant information becomes available.

Date

Change to the Troubleshooting article

Troubleshooting article initially published.

Added description of Tomcat on Windows mitigation and new information on CVE-2021-45046.

Information update on CVE-2021-45105 and BSI detection and reaction article.

Information update about released hotfix versions which include the latest version of log4j 2.17.0. 

Information update on CVE-2021-44832

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close