Critical vulnerability in Apache Log4j library

Josh Boxer
Josh Boxer Administrator
edited December 2023 in General

On 9th December 2021, Proof-of-Concept exploits for a new critical zero-day vulnerability affecting Apache Log4j, version 2.0 to 2.14.1, which results in remote code execution (RCE) were made publicly available. This is being tracked as CVE-2021-44228.

Experian is fully aware of the log4j security vulnerability. Experian Cyber Threat Intelligence (CTI) team continues to monitor and assess this vulnerability, including any potential impact to Experian systems. Security and the safeguarding of information entrusted to Experian is one of the top priorities of our business. We must be constantly vigilant and invest extensively to protect our data. Experian treats information security as a priority and performs appropriate analysis and remediation for these types of vulnerabilities.

More information:


The flaw can be mitigated by:

  • Upgrading Data Studio to version 2.5.9 or above (recommended) - Latest downloads
  • Setting the system property "log4j2.formatMsgNoLookups" to "true"


Windows - setting the system property:

If it is not possible to upgrade Data Studio to the latest version, Windows users should:

  1. stop the server Experian Data Studio Database Server [Windows > Control Panel > System and Security > Administrative Tools > Services > Experian Aperture Data Studio Database Server > Stop]
  2. navigate to the Data Studio installation directory (by default \\Program Files\Experian\Aperture Data Studio 2.x\)
  3. locate the file Aperture Data Studio Service 64bit.ini
  4. update the 'Virtual Machine Parameters=' appending the argument -Dlog4j2.formatMsgNoLookups=true (note the space before the hyphen)
  5. save changes and restart the server

 so it should look something like:

[Java Runtime Environment]
Minimum Version=1.8
JVM Source=favor_JRE
Virtual Machine Parameters=-XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j2.formatMsgNoLookups=true

- OR - 

[Java Runtime Environment]
Minimum Version=1.8
JVM Source=favor_JRE
Virtual Machine Parameters=-Xms66:1000:16000P -Dlog4j2.formatMsgNoLookups=true


Linux - Setting the system property:

If it is not possible to upgrade Data Studio to the latest version, for Linux / Docker environments, you will need to add the following line into docker-compose.yml file:

environment:
 - LOG4J_FORMAT_MSG_NO_LOOKUPS="true"


Find Duplicates Workbench
  1. Stop the Find Duplicates service [Windows > Control Panel > System and Security > Administrative Tools > Services > Experian Find Duplicates Service > Stop]
  2. Navigate to the Find Duplicates installation folder (by default \\Program Files\Experian\Aperture Data Studio 2.x\)
  3. Open the Find Duplicates Workbench.ini file
  4. Find the line starting with Virtual Machine Parameters= and append the property -Dlog4j2.formatMsgNoLookups=true (or add the line if necessary)
  5. Save Find Duplicates.ini and restart the Find Duplicates service.


Using a separate Find Duplicates installation in Windows

If it is not possible to upgrade Find Duplicates to the latest version:

  1. Stop the Find Duplicates service [Windows > Control Panel > System and Security > Administrative Tools > Services > Experian Find Duplicates Service > Stop]
  2. Navigate to the Find Duplicates installation folder and open Find Duplicates.ini
  3. Find the line starting with Virtual Machine Parameters= and append the property -Dlog4j2.formatMsgNoLookups=true (note the space before the hyphen)
  4. Save Find Duplicates.ini and restart the Find Duplicates service.


Using a separate Find Duplicates installation in Tomcat

If it is not possible to upgrade Find Duplicates to the latest version:

  1. Navigate to the \bin folder in the Tomcat installation location
  2. Run tomcat9w.exe
  3. Select the Java tab and under Java Options add a line with the following property: -Dlog4j2.formatMsgNoLookups=true
  4. Under the General tab click Restart.


Tagged:

Comments

  • Ian Hayden
    Ian Hayden Experian Super Contributor

    For customers with an existing windows installation we recommend that they apply the following change that will fix the problem until they are able to upgrade:

    • Stop the server
    • In the Aperture Data Studio installation directory open the Aperture Data Studio Service 64bit.ini file in a text editor
    • Add -Dlog4j2.formatMsgNoLookups=true to the Virtual Machine Parameters line so it looks like:

    Virtual Machine Parameters=-XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j2.formatMsgNoLookups=true

    • Save the file
    • Start the server


  • Josh Boxer
    Josh Boxer Administrator
    edited December 2021
    For any legacy customers still using Pandora

    Windows:

    1. Stop the server Experian Pandora Database Server [Windows > Control Panel > System and Security > Administrative Tools > Services > Experian Pandora Database Server > Stop]
    2. Navigate to the Pandora installation directory (default is Program files\Experian\Pandora 5.x.x)
    3. Locate the file Pandora Service 64bit.ini
    4. Update ‘Virtual Machine Parameters=’ appending the argument -Dlog4j2.formatMsgNoLookups=true (note the space before the hyphen)
    5. Save the changes and start Experian Pandora Database Server

    Update - also apply the change to the file Pandora Client 64bit.ini

    Linux:

    1. Stop the Experian Pandora server – pserver stop
    2. Navigate to /etc/Linux/ and locate the file pserver
    3. Update ‘Virtual Machine Parameters=’ appending the argument -Dlog4j2.formatMsgNoLookups=true
    4. Save the changes and start the Experian Pandora server – pserver start
  • Josh Boxer
    Josh Boxer Administrator
    For legacy customers still using Aperture Data Studio Version 1.X
    1. Stop the server (service name: Experian Aperture Data Studio Database Server 1.X.X 64bit)
    2. Go to the server install directory (by default C:\Program Files\Experian\Aperture Data Studio 1.X.X)
    3. Edit the Aperture Data Studio Service 64bit.ini file
    4. Update the Virtual Machine Parameters line appending -Dlog4j2.formatMsgNoLookups=true (note the space before the hyphen)
    5. So it should result in looking like: Virtual Machine Parameters=-XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j2.formatMsgNoLookups=true
    6. Save the file and restart the server
  • Josh Boxer
    Josh Boxer Administrator
    edited December 2021

    Update The newest version of Apache Log4j (v2.16.0) will be included in the next version of Aperture Data Studio, which should be released by Tuesday.

    Note that the latest finding (CVE-2021-45046 Severity:Moderate) that JNDI lookup can still occur through ThreadContext, MDC, Logger.printf even with formatMsgNoLookups variable set to true, does not impact Data Studio which does not have external inputs stored as ThreadContext, MDC, or Logger.printf

  • Josh Boxer
    Josh Boxer Administrator

    Update Aperture Data Studio v2.5.10 should be available later today containing an upgrade to Log4j 2.16.0

    Note that the latest finding (CVE-2021-45105) has severity high, but this is based on a possible DOS (Denial of Service) attack, which is less of a priority than the previously reported "information leak and remote code execution" vulnerability. We will continue to monitor the situation closely.

  • Josh Boxer
    Josh Boxer Administrator
    edited December 2021

    Update SInce Data Studio does not use Context Lookups in its default logging configuration it will only be vulnerable in the unlikely event that an administrator has specifically configured Log4j in that way. As a matter of caution, we recommend that the log4j2.xml is checked for ‘$${ctx:’. For additional safety, (note that this is not applicable for log4j 2.16.0) the vulnerable code can be removed using the approved mitigation step of running :

    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    
  • Thank you for the latest status!

    We now have a requirement to upgrade Log4j to 2.17 so do you already have plans to do that upgrade and when that release will be available?

  • Josh Boxer
    Josh Boxer Administrator

    We do not yet have a date for any version beyond 2.5.10, so it is still strongly advised customers take the latest version asap since the first vulnerability raised remains the priority. We will provide further information on the next version once there is more to share.

  • Josh Boxer
    Josh Boxer Administrator
    edited December 2021

    Update Aperture Data Studio v2.5.10 and Find Duplicates v3.5.2 have been released containing an update to Log4j V2.16.0. Follow link to Latest downloads in description

  • Wenny Khoo
    Wenny Khoo Experian Employee

    We have client is asking for Pandora workaround provided on above. Other than setting the Dlog4j2.formatMsgNoLookups=true, could they remove the JndiLookup class and also to upgrade the Log4j version to Log4j 2.12.2 (Java 7) or Log4j 2.16.0 (Java 8) will having any impact for them using the Pandora before end of life support? Appreciate for the advice about it.

  • Clinton Jones
    Clinton Jones Experian Elite

    Aperture Data Studio v1.6.7 has also been released.

    It is a security release with a variety of changes and updates to maintain the security of the product. It does not contain any bug fixes to detail here.

    Notably however it contains the latest log4j libraries (2.17.0) throughout.

    Please contact support to get a hold of this version if you require it.

  • Josh Boxer
    Josh Boxer Administrator

    Pandora now has patches available for v5.9.5 and 5.9.6. Please contact Support if you would like to upgrade.

    Regarding the JndiLookup class, the comment above regarding 'Context Lookups' is relevant to Pandora. The class can be deleted for additional security.

  • Josh Boxer
    Josh Boxer Administrator
    edited January 2022

    Update the next version of Aperture Data Studio will include an update Log4j library v2.17.1, should be out in the next few days is now available

  • Thank you!

    Is that Log4j library v2.17.1 update also included in the latest release of Find Duplicates 3.5.3?

  • Ian Hayden
    Ian Hayden Experian Super Contributor

    Find Duplicates 3.5.3 contains log4j v2.17.0. However, the subsequent 3.5.4 release has been updated to contain the latest v2.17.1 of log4j.

  • Josh Boxer
    Josh Boxer Administrator

    Update: It is possible you have some older temporary files hanging around relating Aperture Data Studio / Find Duplicates that might get flagged by any vulnerability scans. Example:

    C:\Windows\TEMP\jetty-0_0_0_0-7701-match-rest-api-3_4_10_war-_experian-match-api...\log4j-core-2.13.2.jar
    

    It is safe to delete any Temp files