Security Vulnerability
Assigning CNA: Apache Software Foundation
Security Advisory Summary
December 9, 2021, the Apache Software Foundation released Log4j 2.15.0 to resolve a critical remote code execution vulnerability (CVE-2021-44228) affecting versions 2.0-beta9 through 2.14.1.
Apache Log4j is a popular Java logging library incorporated into a wide range of enterprise software (including Struts2, Solr, Druid, and Flink). This is a well-known vulnerability affecting numerous software companies.
The following SolarWinds products utilize an affected version of Apache Log4j in their codebase:
First, it’s important to note the Orion Platform core is not affected and does not utilize Apache Log4j.
Server & Application Monitor (SAM) (JMX Monitoring feature) utilizes the vulnerable Log4j library, but it uses the JDK version 16 which is not known at this time to be susceptible to the Log4j vulnerability. In an abundance of caution, SolarWinds engineers are producing a hotfix to replace the existing library with the latest version. This hotfix is being planned and the release schedule will be updated soon. Please refer to this page for updates.
Suggested workaround steps prior to hotfix availability can be found in the following KB Article: https://support.solarwinds.com/SuccessCenter/s/article/Server-Application-Monitor-SAM-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US
This workaround is targeted for customers running SAM 2020.2.6 and later, as earlier versions of SAM are based on an older version of Log4j unaffected by this issue. You can check your version by looking into folder: Orion-Installation\APM\jmxbridge.
Database Performance Analyzer (DPA) utilizes the vulnerable library but also uses a later version of the Java SDK which may reduce the risk of the vulnerability. SolarWinds engineers are producing a hotfix to replace the existing library with the latest version. This hotfix is being planned and the release schedule will be updated soon. Please refer to this page for updates.
Prior to hotfix’s availability, the Log4j libraries can be replaced manually on Windows by following the steps in the following kB article: https://support.solarwinds.com/SuccessCenter/s/article/Database-Performance-Analyzer-DPA-and-the-Apache-Log4j-Vulnerability-CVE-2021-44228?language=en_US
This workaround is targeted for customers running the following versions, as earlier versions of DPA are based on an older version of Log4j unaffected by this issue.
- 2021.1.x
- 2021.3.x
- 2022.1.x
The Linux instructions for DPA are in the process of being validated and will be provided once they are confirmed.
If an upgrade is not possible at this time, to help mitigate the risk to your DPA installation, please ensure your environment is appropriately configured and utilizes the DPA Secure Configuration Guide: Best Practices and Recommendations, available at: https://support.solarwinds.com/SuccessCenter/s/article/DPA-Secure-Configuration-Guide-Best-Practices-and-Recommendations
For More info: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228
Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228)
The Apache Log4j vulnerability is a third-party vulnerability in Apache software utilized widely across the software industry. This third-party component is used in very limited instances within a small subsection of SolarWinds products. This article describes Server & Application Monitor (SAM) and the Apache Log4j Vulnerability (CVE-2021-44228).
On December 9, 2021, the Apache Software Foundation released Log4j 2.15.0 to resolve a critical remote code execution vulnerability (CVE-2021-44228) affecting versions 2.0-beta9 through 2.14.1.
The Apache Log4j vulnerability is a third-party vulnerability in Apache software utilized widely across the software industry. This third-party component is used in very limited instances within a small subsection of SolarWinds products. For more information, please review the following resources:
- Cybersecurity & Infrastructure Security Agency (CISA): Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
- The Apache Software Foundation: Apache Log4j Security Vulnerabilities: https://logging.apache.org/log4j/2.x/security.html
- SolarWinds Security Advisory: Apache Log4j Critical Vulnerability (CVE-2021-44228): https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-44228
-
CVE-2021-44228
The following workaround is targeted for customers running SAM 2020.2.6 and later. Earlier versions of SAM are based on an older version of Log4j that is not affected by this issue.
To check your version, navigate to the \SolarWinds\Orion\APM\jmxbridge folder. The default path is C:\Program Files (x86)\SolarWinds\Orion\APM\jmxbridge.
To manually upgrade Log4j, perform these steps on all SAM polling engines, including any SolarWinds High Availability servers:
1. Download the latest files required from this site: Log4j Download
2. Use the Orion Service Manager to stop the SolarWinds JMX Bridge service.
3. Navigate to the following folder: \SolarWinds\Orion\APM\jmxbridge\lib.
4. Move the following Log4j files from the \lib folder to the Windows Desktop:
- log4j-1.2-api-x.xx.0.jar
- log4j-api-x.xx.0.jar
- log4j-core-x.xx.0.jar
5. Copy the following files extracted from the downloaded file into the \lib folder:
- log4j-1.2-api-2.15.0.jar
- log4j-api-2.15.0.jar
- log4j-core-2.15.0.jar
6. Navigate to the following folder: \SolarWinds\Orion\APM\jmxbridge\jsl.
7. Backup the current configuration of the Java Service Launcher by copying jsl64.ini to the Desktop.
8. Launch a text editor, such as Notepad, as an Administrator, and open the existing jsl64.ini file.
Keep the first 3 lines, where APM_HOME =YOURPATH is specific to your SAM installation.
[defines]
APM_HOME =YOURPATH
PATH= %PATH%
9. Replace the entire [service] section with the following code:
[service]
appname = SolarWinds JMX Bridge
servicename = SWJMXBridgeSvc
displayname = SolarWinds JMX Bridge
servicedescription = SolarWinds JMX Bridge Service
stringbuffer = 16000
starttype=auto
loadordergroup=someorder
useconsolehandler=false
stopclass=com/solarwinds/jmxbridge/Service
stopmethod=stop
stopsignature=()V
[java]
jrepath=%APM_HOME%\..\openjdk\16
params = 5
;JDK 16 breaking change illegal-access=deny by default
param00 = --illegal-access=permit
param01 = -cp
param03 = -Denv.allusersprofile=%ALLUSERSPROFILE%
param04 = com.solarwinds.jmxbridge.Service
;WildFly XX.YY template
;1)download and copy jboss-cli-client in version XX.YY folder into directory '\Orion\APM\jmxbridge\lib\WildFly-{XX.YY}' -> example 'WildFly-18.0.1'
;2)uncomment below param01 and comment previously used
;3)replace in below path {XX.YY} with version of the wildfly client -> example 'WildFly-XX.YY' to 'WildFly-18.0.1'
;param02 = %APM_HOME%\jmxbridge\SolarWinds.JMX.Bridge.jar;%APM_HOME%\jmxbridge\lib\log4j-1.2-api-2.15.0;%APM_HOME%\jmxbridge\lib\wlclient.jar;%APM_HOME%\jmxbridge\lib\wljmxclient.jar;%APM_HOME%\jmxbridge\lib\javax.xml.soap-api.jar;%APM_HOME%\jmxbridge\lib\jaxb-api.jar;%APM_HOME%\jmxbridge\lib\jaxws-api.jar;%APM_HOME%\jmxbridge\lib\jsr181-api.jar.jar;%APM_HOME%\jmxbridge\lib\gmbal-api-only.jar;%APM_HOME%\jmxbridge\lib\ha-api.jar;%APM_HOME%\jmxbridge\lib\javax.activation-api.jar;%APM_HOME%\jmxbridge\lib\axb-core.jar;%APM_HOME%\jmxbridge\lib\jaxb-impl.jar;%APM_HOME%\jmxbridge\lib\jaxws-rt.jar;%APM_HOME%\jmxbridge\lib\management-api.jar;%APM_HOME%\jmxbridge\lib\mimepull.jar;%APM_HOME%\jmxbridge\lib\policy.jar;%APM_HOME%\jmxbridge\lib\saaj-impl.jar;%APM_HOME%\jmxbridge\lib\stax-ex.jar;%APM_HOME%\jmxbridge\lib\streambuffer.jar;%APM_HOME%\jmxbridge\lib\javax.annotation-api.jar;%APM_HOME%\jmxbridge\lib\WildFly-XX.YY\jboss-cli-client.jar
;WildFly 8.2
;param02 = %APM_HOME%\jmxbridge\SolarWinds.JMX.Bridge.jar;%APM_HOME%\jmxbridge\lib\log4j-1.2-api-2.15.0.jar;%APM_HOME%\jmxbridge\lib\wlclient.jar;%APM_HOME%\jmxbridge\lib\wljmxclient.jar;%APM_HOME%\jmxbridge\lib\javax.xml.soap-api.jar;%APM_HOME%\jmxbridge\lib\jaxb-api.jar;%APM_HOME%\jmxbridge\lib\jaxws-api.jar;%APM_HOME%\jmxbridge\lib\jsr181-api.jar.jar;%APM_HOME%\jmxbridge\lib\gmbal-api-only.jar;%APM_HOME%\jmxbridge\lib\ha-api.jar;%APM_HOME%\jmxbridge\lib\javax.activation-api.jar;%APM_HOME%\jmxbridge\lib\axb-core.jar;%APM_HOME%\jmxbridge\lib\jaxb-impl.jar;%APM_HOME%\jmxbridge\lib\jaxws-rt.jar;%APM_HOME%\jmxbridge\lib\management-api.jar;%APM_HOME%\jmxbridge\lib\mimepull.jar;%APM_HOME%\jmxbridge\lib\policy.jar;%APM_HOME%\jmxbridge\lib\saaj-impl.jar;%APM_HOME%\jmxbridge\lib\stax-ex.jar;%APM_HOME%\jmxbridge\lib\streambuffer.jar;%APM_HOME%\jmxbridge\lib\javax.annotation-api.jar;%APM_HOME%\jmxbridge\lib\WildFly-8.2\jboss-cli-client.jar
;Jboss 7.4
param02 = %APM_HOME%\jmxbridge\SolarWinds.JMX.Bridge.jar;%APM_HOME%\jmxbridge\lib\log4j-1.2-api-2.15.0.jar;%APM_HOME%\jmxbridge\lib\log4j-api-2.15.0.jar;%APM_HOME%\jmxbridge\lib\log4j-core-2.15.0.jar;%APM_HOME%\jmxbridge\lib\wlclient.jar;%APM_HOME%\jmxbridge\lib\wljmxclient.jar;%APM_HOME%\jmxbridge\lib\javax.xml.soap-api.jar;%APM_HOME%\jmxbridge\lib\jaxb-api.jar;%APM_HOME%\jmxbridge\lib\jaxws-api.jar;%APM_HOME%\jmxbridge\lib\jsr181-api.jar.jar;%APM_HOME%\jmxbridge\lib\gmbal-api-only.jar;%APM_HOME%\jmxbridge\lib\ha-api.jar;%APM_HOME%\jmxbridge\lib\javax.activation-api.jar;%APM_HOME%\jmxbridge\lib\axb-core.jar;%APM_HOME%\jmxbridge\lib\jaxb-impl.jar;%APM_HOME%\jmxbridge\lib\jaxws-rt.jar;%APM_HOME%\jmxbridge\lib\management-api.jar;%APM_HOME%\jmxbridge\lib\mimepull.jar;%APM_HOME%\jmxbridge\lib\policy.jar;%APM_HOME%\jmxbridge\lib\saaj-impl.jar;%APM_HOME%\jmxbridge\lib\stax-ex.jar;%APM_HOME%\jmxbridge\lib\streambuffer.jar;%APM_HOME%\jmxbridge\lib\javax.annotation-api.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.4\jboss-cli-client.jar
;Jboss 7.1.1
;param02 = %APM_HOME%\jmxbridge\SolarWinds.JMX.Bridge.jar;%APM_HOME%\jmxbridge\lib\log4j-1.2-api-2.15.0.jar;%APM_HOME%\jmxbridge\lib\wlclient.jar;%APM_HOME%\jmxbridge\lib\wljmxclient.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\remoting-jmx-1.0.2.Final.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\jboss-remoting-3.2.3.GA.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\jboss-logging-3.1.0.GA.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\xnio-api-3.0.3.GA.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\xnio-nio-3.0.3.GA.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\jboss-sasl-1.0.0.Final.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\jboss-marshalling-1.3.11.GA.jar;%APM_HOME%\jmxbridge\lib\JBoss-7.1\jboss-marshalling-river-1.3.11.GA.jar
10. Use Orion Service Manager to start the SolarWinds JMX Bridge Service.