IBM DataPower Operations Dashboard v1.0.14.0
A newer version of this product documentation is available.
You are viewing an older version. View latest at IBM DPOD Documentation.
Apache Log4j Vulnerability (CVE-2021-44228) - Mitigation
- Amit Munwes
This mitigation should only be applied to DPOD version >=1.0.10.0 <= 1.0.14.0.
DPOD version >=1.0.15.0 is not affected by this vulnerability.
DPOD version <=1.0.9.0 should be upgraded at least to 1.0.10.0 to apply this mitigation.
Upgrading DPOD to a version <=1.0.14.0 after applying this procedure will invalidate the mitigation and make DPOD vulnerable again.
For example, if you apply this procedure on DPOD 1.0.13.0 and then upgrade to 1.0.14.0, DPOD will become vulnerable again.
When upgrading DPOD, make sure to upgrade at least to 1.0.15.0, otherwise re-apply this procedure after the upgrade is complete.
All-in-One Installation
For a DPOD all-in-one installation, follow the next steps:
Stop all the application services using
app-util.shExecute the following commands:
sed -i "s/-Djava.net.preferIPv4Stack=true\"/-Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-SyslogAgent-* sed -i "s/-Djava.net.preferIPv4Stack=true\"/-Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-WsmAgent-* sed -i "s/-Djava.net.preferIPv4Stack=true\"/-Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-es-raw-trans-* sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-HK-* sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-AppAdmin sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-UI sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-Reports sed -i "s/-Dfile.encoding=UTF-8 org/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true org/g" /etc/init.d/MonTier-DerbyExecute the following command to validate the change:
cd /etc/init.d; grep -r "formatMsgNoLookups=true" | cut -d : -f 1 | sort Expected results for architecure >=Medium: ========================================== MonTier-AppAdmin MonTier-Derby MonTier-es-raw-trans-Node-1 MonTier-es-raw-trans-Node-2 MonTier-es-raw-trans-Node-3 MonTier-es-raw-trans-Node-4 MonTier-HK-ESRetention MonTier-HK-SyslogKeepalive MonTier-HK-WdpDeviceResources MonTier-HK-WdpServiceResources MonTier-HK-WsmKeepalive MonTier-Reports MonTier-SyslogAgent-1 MonTier-SyslogAgent-2 MonTier-SyslogAgent-3 MonTier-SyslogAgent-4 MonTier-UI MonTier-WsmAgent-1 MonTier-WsmAgent-2 MonTier-WsmAgent-3 MonTier-WsmAgent-4Start all the application services using
app-util.sh
Cell Manager
For a DPOD Cell Manager, follow the next steps:
Stop all the application services using
app-util.shExecute the following commands:
sed -i "s/-Djava.net.preferIPv4Stack=true\"/-Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-es-raw-trans-* sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-HK-* sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-AppAdmin sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-UI sed -i "s/-Dfile.encoding=UTF-8\"/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true\"/g" /etc/init.d/MonTier-Reports sed -i "s/-Dfile.encoding=UTF-8 org/-Dfile.encoding=UTF-8 -Dlog4j2.formatMsgNoLookups=true org/g" /etc/init.d/MonTier-DerbyExecute the following command to validate the change:
Start all the application services using
app-util.sh
Cell Member
For a DPOD Cell Member, follow the next steps:
Stop all the application services using
app-util.shExecute the following commands:
Execute the following command to validate the change:
Start all the application services using
app-util.sh
Â