Dec 1, 2021
log4j Exploit – Possible Action Required
Exploit Details
There has been a recent discovery of an exploit in the commonly used log4j library. The vulnerability impacts versions from 2.0 to 2.14.1. The vulnerability allows an attacker to execute remote code, it should therefore be considered serious.
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3201
How are Cubewise CODE products impacted?
Vulnerable
Pulse 6 Application Server
Pulse 6 uses log4j version 1 which is NOT impacted. However, bundled with Pulse is Elasticsearch which uses log4j v2.11.1, this version of log4j IS impacted.
To access the exploit an attacker would need to login to Pulse and access the Explorer component. Only Pulse admin users have access to this feature.
Pulse 6 and Elasticsearch use a recent version of the Java runtime which limits the impact of the attack, i.e. remote code cannot be executed due to default settings. System configuration/information can still be leaked to attacker.
Pulse does NOT use the log4j v1 features SocketServer or JMSAppender which can be used as an attack vector.
It is important that you take steps to fix this vulnerability. This is especially important if your Pulse server is exposed to the internet. Details to fix this issue are below.
For Cubewise Cloud customers a fix has already been deployed.
Not Impacted
Pulse v5 – Version 1 of log4j is used which is NOT impacted by the vulnerability.
NOTE: If you have setup Elasticsearch (it is not bundled with Pulse in v5) you should apply one of the fixes below.Apliqo UX / Canvas – Version 1 of log4j is used which is NOT impacted by the vulnerability.
Arc – Java and log4j are not used.
Slice – Java and log4j are not used.
Fix
There are two options to fix the log4j vulnerability:
Upgrade the log4j libraries:
Download version 2.17.0 or later of log4j from the log4j website: https://logging.apache.org/log4j/2.x/download.html
Stop the Pulse services including Pulse Elasticsearch.
Use Windows Explorer navigate to [Pulse Install Directory]elasticlib, the default location is ‘C:Program FilesPulse for TM1elasticlib’.
Delete the 3 log4j files:
log4j-1.2-api-2.11.1.jar
log4j-api-2.11.1.jar
log4j-core-2.11.1.jarUnzip the log4j files downloaded in step 1.
Copy 3 files:
log4j-1.2-api-2.17.0.jar
log4j-api-2.17.0.jar
log4j-core-2.17.0.jarPaste the 3 files into the directory from step 3/4. Default: ‘C:Program FilesPulse for TM1elasticlib’
Start the Pulse services.
Disable lookups
You can also disable format lookups by editing the Windows Registry:
Stop the Pulse services including Pulse Elasticsearch.
Open the Registry Editor on the Pulse server.
Navigate to the following key:
ComputerHKEY_LOCAL_MACHINESOFTWAREWOW6432NodeApache Software FoundationProcrun 2.0PulseElasticsearchServerParametersJavaDouble click on the Options value in the right-hand panel.
In the dialog that opens add to the end of the settings the following:
-Dlog4j2.formatMsgNoLookups=truePress OK to save.
Start the Pulse services.