elastic search
cd /usr/share/elasticsearch/lib/
service elasticsearch stop
if not already modified
mv log4j-1.2-api-2.9.1.jar log4j-1.2-api-2.9.1.jar.old
mv log4j-api-2.9.1.jar log4j-api-2.9.1.jar.old
mv log4j-core-2.9.1.jar log4j-core-2.9.1.jar.old
or if already modified as previous posts
unlink log4j-1.2-api-2.9.1.jar; unlink log4j-api-2.9.1.jar; unlink log4j-core-2.9.1.jar
then
wget https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz --no-check-certificate
tar -xvf apache-log4j-2.16.0-bin.tar.gz \
apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
chown root: -R apache-log4j-2.15.0-bin
ln -s apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar log4j-1.2-api-2.9.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar log4j-api-2.9.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar log4j-core-2.9.1.jar
service elasticsearch start
for unifi:
service unifi stop
cd /opt/UniFi/lib/
then if not already modified
mv log4j-api-2.11.1.jar log4j-api-2.11.1.jar.old
mv log4j-core-2.11.1.jar log4j-core-2.11.1.jar.old
mv log4j-slf4j-impl-2.11.1.jar log4j-slf4j-impl-2.11.1.jar.old
if already modified
unlink log4j-api-2.11.1.jar
unlink log4j-core-2.11.1.jar
unlink log4j-slf4j-impl-2.11.1.jar
wget https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz --no-check-certificate
tar -xzf apache-log4j-2.16.0-bin.tar.gz apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar apache-log4j-2.16.0-bin/log4j-slf4j-impl-2.16.0.jar
chown -R ubnt: apache-log4j-2.16.0-bin
ln -s apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar log4j-api-2.11.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar log4j-core-2.11.1.jar
ln -s apache-log4j-2.16.0-bin/log4j-slf4j-impl-2.16.0.jar log4j-slf4j-impl-2.11.1.jar
service unifi start
for madsonic 5.x
service madsonic stop
cd /usr/share/madsonic/
unzip -t madsonic.war |grep log4j
testing: WEB-INF/lib/log4j-1.2.17.jar OK
testing: WEB-INF/lib/slf4j-log4j12-1.7.2.jar OK
testing: WEB-INF/classes/log4j.properties OK
rm WEB-INF -rf
jar -xvf madsonic.war WEB-INF/lib/log4j-1.2.17.jar
cd WEB-INF/lib/
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
cd ../../
jar -uvf madsonic.war WEB-INF
rm -rf /var/madsonic/jetty/3760/webapp/WEB-INF/lib/log4j-1.2.17.jar
cp -a WEB-INF/lib/log4j-1.2.17.jar /var/madsonic/jetty/3760/webapp/WEB-INF/lib/log4j-1.2.17.jar
service madsonic start
according to https//logging.apache.org/log4j/2.x/security.html
Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability. (CVE-2021-45046)
Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
mitigationa ccording to
https://access.redhat.com/security/cve/CVE-2021-4104madsonic 6
would need
systemctl stop madsonic
cd /usr/share/madsonic/
unzip -t madsonic.war |grep log4j
testing: WEB-INF/lib/slf4j-log4j12-1.7.22.jar OK
testing: WEB-INF/lib/log4j-1.2-api-2.7.jar OK
testing: WEB-INF/lib/log4j-1.2.17.jar OK
testing: WEB-INF/lib/log4j-api-2.7.jar OK
testing: WEB-INF/lib/log4j-core-2.7.jar OK
testing: WEB-INF/classes/log4j.properties OK
testing: WEB-INF/classes/log4j2.xml OK
# patch 1.2
rm WEB-INF -rf
jar -xvf madsonic.war WEB-INF/lib/log4j-1.2.17.jar
cd WEB-INF/lib/
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
cd ../../
# change 2.x
wget https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.tar.gz --no-check-certificate
tar -xvf apache-log4j-2.16.0-bin.tar.gz \
apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar \
apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
mv apache-log4j-2.16.0-bin/log4j-1.2-api-2.16.0.jar WEB-INF/lib/log4j-1.2-api-2.7.jar
mv apache-log4j-2.16.0-bin/log4j-api-2.16.0.jar WEB-INF/lib/log4j-api-2.7.jar
mv apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar WEB-INF/lib/log4j-core-2.7.jar
touch WEB-INF/lib/log4j-2.7patchedTo2.16.0
touch WEB-INF/lib/log4j-1.2patched
#and rebuild
jar -uvf madsonic.war WEB-INF
# update the expanded version
rm -rf /var/madsonic/jetty/
systemctl start madsonic