Cubewise Code
ProductsServicesResourcesDownloadsSupportEducationCompany
Contact us
global-search

Dec 1, 2021

log4j Exploit – Possible Action Required

Exploit Details

There has been a recent discovery of an exploit in the commonly used log4j library. The vulnerability impacts versions from 2.0 to 2.14.1. The vulnerability allows an attacker to execute remote code, it should therefore be considered serious.

https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3201

How are Cubewise CODE products impacted?

Vulnerable

Pulse 6 Application Server

Pulse 6 uses log4j version 1 which is NOT impacted. However, bundled with Pulse is Elasticsearch which uses log4j v2.11.1, this version of log4j IS impacted.

To access the exploit an attacker would need to login to Pulse and access the Explorer component. Only Pulse admin users have access to this feature.

Pulse 6 and Elasticsearch use a recent version of the Java runtime which limits the impact of the attack, i.e. remote code cannot be executed due to default settings. System configuration/information can still be leaked to attacker.

Pulse does NOT use the log4j v1 features SocketServer or JMSAppender which can be used as an attack vector.

It is important that you take steps to fix this vulnerability. This is especially important if your Pulse server is exposed to the internet. Details to fix this issue are below.

For Cubewise Cloud customers a fix has already been deployed.

Not Impacted

  • Pulse v5 – Version 1 of log4j is used which is NOT impacted by the vulnerability.
    NOTE: If you have setup Elasticsearch (it is not bundled with Pulse in v5) you should apply one of the fixes below.

  • Apliqo UX / Canvas – Version 1 of log4j is used which is NOT impacted by the vulnerability.

  • Arc – Java and log4j are not used.

  • Slice – Java and log4j are not used.

Fix

There are two options to fix the log4j vulnerability:

Upgrade the log4j libraries:

  1. Download version 2.17.0 or later of log4j from the log4j website: https://logging.apache.org/log4j/2.x/download.html

  2. Stop the Pulse services including Pulse Elasticsearch.

  3. Use Windows Explorer navigate to [Pulse Install Directory]elasticlib, the default location is ‘C:Program FilesPulse for TM1elasticlib’.

  4. Delete the 3 log4j files:
    log4j-1.2-api-2.11.1.jar
    log4j-api-2.11.1.jar
    log4j-core-2.11.1.jar

  5. Unzip the log4j files downloaded in step 1.

  6. Copy 3 files:
    log4j-1.2-api-2.17.0.jar
    log4j-api-2.17.0.jar
    log4j-core-2.17.0.jar

  7. Paste the 3 files into the directory from step 3/4. Default: ‘C:Program FilesPulse for TM1elasticlib’

  8. Start the Pulse services.

Disable lookups

You can also disable format lookups by editing the Windows Registry:

  1. Stop the Pulse services including Pulse Elasticsearch.

  2. Open the Registry Editor on the Pulse server.

  3. Navigate to the following key:
    ComputerHKEY_LOCAL_MACHINESOFTWAREWOW6432NodeApache Software FoundationProcrun 2.0PulseElasticsearchServerParametersJava

  4. Double click on the Options value in the right-hand panel.

  5. In the dialog that opens add to the end of the settings the following:
    -Dlog4j2.formatMsgNoLookups=true

  6. Press OK to save.

  7. Start the Pulse services.

Related content

Loading related content