Skip to main content
Skip table of contents

Apache Log4j2 vulnerability

A possible exposure of Apache Log4j2 JNDI features to attacks via log messages and log message parameters requires immediate action for some censhare services. In this security update article, you find the necessary actions to fix any possible third-party vulnerability.

Affected censhare versions and services

The vulnerability affects Spring Boot applications with log4j 2.14.1 and lower. In censhare, this affects the Social Media service, Google Cloud AI service, Cloud Gateway and the Static Resource Server (SRS).

censhare versionservice
censhare 2021.2 WP
censhare 2021.1
censhare 2020.3
censhare 2020.2

Remarks

(1) These services are part of the Google Cloud AI and Social Media integrations of censhare. They are optional.

(2) These services are part of the RPM packages of censhare WP. They are required for censhare 2021.2 installation.

Required actions

As an immediate action to mitigate a possible vulnerability, on the Java Virtual Machince of the affected services, set argument –Dlog4j2.formatMsgNoLookups=True:

Cloud Gateway

  1. Login to the server where the Cloud Gateway package is installed.
  2. Edit the file /usr/lib/systemd/system/censhare.cloud-gateway.service:
  3. Under WorkingDirectory, add the line: EnvironmentFile=-/etc/sysconfig/censhare-cloud-gateway
  4. In the line ExecStart, append ${JAVA_OPTS}

  5. The file should look like this:

    CODE 
    [Unit]
Description=censhare springboot service for Cloud Gateway.
After=network-online.target

[Service]
Type=simple
WorkingDirectory=/opt/censer/cloud-gateway
EnvironmentFile=-/etc/sysconfig/censhare-cloud-gateway
ExecStart=/usr/bin/java -jar /opt/censer/cloud-gateway/cloud-gateway.jar ${JAVA_OPTS}
Restart=on-abort
User=censer
Group=censer
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=cloud-gateway

[Install]
WantedBy=multi-user.target
  6. Create the file /etc/sysconfig/censhare-cloud-gateway with the following contents:
    JAVA_OPTS="–Dlog4j2.formatMsgNoLookups=true"

  7. Restart the systemd service: 

    CODE 
    systemctl daemon-reload 
systemctl restart censhare.cloud-gateway

  8. Verify that the command-line parameter took effect with the following command:

    CODE 
    ps aux | grep [c]loud-gateway

  9. The result should look as follows:

    CODE 
    censer    <omitted> /usr/bin/java -jar /opt/censer/cloud-gateway/cloud-gateway.jar –Dlog4j2.formatMsgNoLookups=true


Static Resource Server

  1. Login to the server where the Static Resource Server package is installed.
  2. Edit the file /usr/lib/systemd/system/censhare.static-resource-server.service:
  3. Under WorkingDirectory, add the line: EnvironmentFile=-/etc/sysconfig/censhare-static-resource-server
  4. In the line ExecStart, append ${JAVA_OPTS}

  5. The file should look like this:

    CODE 
    [Unit]
Description=censhare springboot service for Static Resource Server.
After=network-online.target

[Service]
Type=simple
WorkingDirectory=/opt/censer/static-resource-server
EnvironmentFile=-/etc/sysconfig/censhare-static-resource-server
ExecStart=/usr/bin/java -jar /opt/censer/static-resource-server/static-resource-server.jar ${JAVA_OPTS}
Restart=on-abort
User=censer
Group=censer
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=static-resource-server

[Install]
WantedBy=multi-user.target
  6. Create the file /etc/sysconfig/censhare-static-resource-server with the following contents:
    JAVA_OPTS="–Dlog4j2.formatMsgNoLookups=true"

  7. Restart the systemd service: 

    CODE 
    systemctl daemon-reload 
systemctl restart censhare.static-resource-server

  8. Verify that the command-line parameter took effect with the following command: 

    CODE 
    ps aux | grep [s]tatic-resource-server

  9. The result should look something like this: 

    CODE 
    censer    <omitted> /usr/bin/java -jar /opt/censer/static-resource-server/static-resource-server.jar –Dlog4j2.formatMsgNoLookups=true

Google AI

  1. Login to the server where the Google AI integration package is installed.
  2. Edit the file /usr/lib/systemd/system/censhare.google-ai.service:
  3. Under WorkingDirectory, add the line: EnvironmentFile=-/etc/sysconfig/censhare-google-ai
  4. In the line ExecStart, append ${JAVA_OPTS}

  5. The file should look like this: 

    CODE 
    [Unit]
Description=censhare springboot service for Google-AI.
After=network-online.target

[Service]
Type=simple
WorkingDirectory=/opt/censer/google-ai
EnvironmentFile=-/etc/sysconfig/censhare-google-ai
ExecStart=/usr/bin/java -jar -Xdebug /opt/censer/google-ai/google-ai.jar ${JAVA_OPTS} Restart=on-abort
User=censer
Group=censer
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=google-ai

[Install]
WantedBy=multi-user.target
  6. Create the file /etc/sysconfig/censhare-google-ai with the following contents:
     JAVA_OPTS="–Dlog4j2.formatMsgNoLookups=true"

  7. Restart the systemd service: 

    CODE 
    systemctl daemon-reload 
systemctl restart censhare.google-ai

  8. Verify that the command-line parameter took effect with the following command:

    CODE 
    ps aux | grep [g]oogle-ai

  9. The result should show:

    CODE 
    –Dlog4j2.formatMsgNoLookups=true

Social Media

  1. Login to the server where the Cloud Gateway package is installed.
  2. Edit the file /usr/lib/systemd/system/censhare.social-media.service:
  3. Under WorkingDirectory, add the line: EnvironmentFile=-/etc/sysconfig/censhare-social-media
  4. In the line ExecStart, append ${JAVA_OPTS}

  5. The file should look like this: 

    CODE 
    [Unit]
Description=censhare springboot service for Social-Media.
After=network-online.target

[Service]
Type=simple
WorkingDirectory=/opt/censer/social-media
EnvironmentFile=-/etc/sysconfig/censhare-social-media
ExecStart=/usr/bin/java -jar /opt/censer/social-media/social-media.jar ${JAVA_OPTS}
Restart=on-abort
User=censer
Group=censer
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=social-media

[Install]
WantedBy=multi-user.target
  6. Create the file /etc/sysconfig/censhare-social-media with the following contents:
    JAVA_OPTS="–Dlog4j2.formatMsgNoLookups=true"

  7. Restart the systemd service with the following command: 

    CODE 
    systemctl daemon-reload
systemctl restart censhare.social-media

  8. Verify that the command-line parameter took effect with the following command:

    CODE 
    ps aux | grep [s]ocial-media

     The result should show: 

    CODE 
    –Dlog4j2.formatMsgNoLookups=true
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close