Apache Log4j provides logging functionality in Java-based applications.
A flaw was found in the Java logging library, Apache Log4j v1. The affected classes, JMSAppender.class and SocketServer.class, in Log4j v1 are vulnerable to remote code execution on the server if the deployed application is configured to use JMSAppender or SocketServer class as part of their Log4j v1 implementation.
Cleo Harmony, Cleo VLTrader, and Cleo LexiCom do not use the affected classes as part of their code framework and, as such, are not subject to either CVE.
Cleo Harmony, Cleo VLTrader, and Cleo LexiCom are not subject to either CVE, however, customers can take additional steps to safeguard their applications.
- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration.
- To mitigate vulnerabilities caused by CVE-2021-4104 and CVE-2019-17571, customers can use the procedures described below to remove the two classes from the specific files listed.
The two classes that need to be removed are:
From the root of your Cleo Application installation, the following two files can be updated:
To remove these classes run:
zip -d lib/log4j.jar org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SocketServer.class
zip -d webserver/WEB-INF/lib/log4j-1.2.8.jar org/apache/log4j/net/JMSAppender.class org/apache/log4j/net/SocketServer.class
You should see the following output for each file:
Windows does not offer a built-in zip function to allow deletion of the offending classes via command line. A third-party tool such as 7-zip, WinZip, WinRar should be used.
Alternatively for Linux/Unix/Windows, customers can replace their existing log4j files with the files attached.
Algorithm : SHA256
Hash : 9EB94CD3B94E6BA87C358C8263280F8FDB649C3B8D49478C9964EACE8C6A39B4
Algorithm : SHA256
Hash : 83CF60DC7AFDAB7B52C65A2FDAF35623384653EA2A3C6D2F693587BD3D93AF05