(7.6+) Updating log4j 2.x to 2.17.1

All versions of the log4j logging framework prior to 2.16 contain a security vulnerability which is mitigated in version 2.16 and higher. We highly recommend upgrading your deployment of log4j to the most recent version using the steps below.

IVG 5.0+ with OS 8

Update Tomcat

Use the following steps to update the Apache Tomcat version.

1. Stop the tomcat service.

systemctl stop tomcat

2. Copy the contents of the Tomcat_Log4j2.17.1 directory to the IVG server.

3. Back up and remove the existing jar files and configuration script.

cd <<tomcat-install-path>>/librm -f log4j-api-2.9.1.jar log4j-core-2.9.1.jar log4j-jul-2.9.1.jarcd <<tomcat-install-path>>/binrm -f setenv.sh

4. Navigate to the Log4j2.17.1 directory, then copy new jar files and new configuration script to the tomcat installation path.

cp log4j-api-2.17.1.jar <<tomcat-install-path>>/libcp log4j-core-2.17.1.jar <<tomcat-install-path>>/libcp log4j-jul-2.17.1.jar <<tomcat-install-path>>/libcp setenv.sh <<tomcat-install-path>>/bindos2unix <<tomcat-install-path>>/bin/setenv.sh

5. Set appropriate permissions. The following example will grant permissions to the tomcat-ivg user and group, but you can substitute a different user and group if needed.

chown tomcat-ivg:tomcat-ivg -R <<tomcat-install-path>>chmod u+x -R <<tomcat-install-path>>

6. Start the tomcat service

service tomcat start

Update the CTI Event Consumer service

1. Copy the contents of the CTIEventConsumer_log4j2.17.1_IVG5 directory to the IVG server.

2. Stop the holly service.

su - <<holly-linux-user>>hvpctl stop

3. Back up and remove the existing log4j jar files for CTI Event consumer.

rm –rf /export/home/VirtualHold/CTIEventConsumer/librm –rf /export/home/VirtualHold/CTIEventConsumer/ctieventconsumer-5.0.0.jarrm –f /export/home/VirtualHold/CTIEventConsumer/log4j2.xml

4. Navigate to the location of the CTIEventConsumer_log4j2.17.1_IVG5 files and copy the new artifacts into the CTIEventConsumer directory.

cp –rp lib /export/home/VirtualHold/CTIEventConsumer/cp log4j2.xml /export/home/VirtualHold/CTIEventConsumer/dos2unix /export/home/VirtualHold/CTIEventConsumer/log4j2.xmlcp ctieventconsumer-5.0.0.jar export/home/VirtualHold/CTIEventConsumer/

5. Set appropriate permissions. The following example will grant permissions to the holly-ivg user and group, but you can substitute a different user and group if needed.

chown holly-ivg:holly-ivg –R /export/home/VirtualHold/CTIEventConsumer/chmod +x –R /export/home/VirtualHold/CTIEventConsumer/

6. Start the holly service.

su - <<holly-linux-user>>hvpctl start

IVG 5.0+ with OS 7

Update Tomcat

Use the following steps to update the Apache Tomcat version.

1. Stop the tomcat service.

systemctl stop tomcat

2. Copy the contents of the Tomcat_Log4j2.17.1 and OpenJDK_3.9-through-51_Linux7x directories to the IVG server.

3. Navigate to the OpenJDK_3.9-through-51_Linux7xdirectory and upgrade the OpenJDK version.

yum -y --nogpgcheck --disablerepo=* localinstall *
Note:

If the above command returns package conflicts and fails to install the package, try this alternative:

yum -y install copy-jdk-configs java-1.8.0-openjdk-headless javapackages-tools libjpeg-turbo lksctp-tools python-javapackages python-lxml tzdata-java

4. Update the Java path.

update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64/jre/bin/java 1update-alternatives --set java /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64/jre/bin/java

5. Back up and remove the existing jar files and configuration script.

cd <<tomcat-install-path>>/librm -f log4j-api-2.9.1.jar log4j-core-2.9.1.jar log4j-jul-2.9.1.jarcd <<tomcat-install-path>>/binrm -f setenv.sh

6. Navigate to the Log4j2.17.1 directory and copy the new jar files and new configuration script to the appropriate locations.

cp log4j-api-2.17.1.jar <<tomcat-install-path>>/libcp log4j-core-2.17.1.jar <<tomcat-install-path>>/libcp log4j-jul-2.17.1.jar <<tomcat-install-path>>/libcp setenv.sh <<tomcat-install-path>>/bindos2unix <<tomcat-install-path>>/bin/setenv.sh

7. Set appropriate permissions. The following example will grant permissions to the tomcat-ivg user and group, but you can substitute a different user and group if needed.

chown tomcat-ivg:tomcat-ivg -R <<tomcat-install-path>>chmod u+x -R <<tomcat-install-path>>

8. Start the tomcat service.

service tomcat start

Update the CTI Event Consumer service

1. Copy the contents of the CTIEventConsumer_log4j2.17.1_IVG5 directory to the IVG server.

2. Stop the holly service.

su - <<holly-linux-user>>hvpctl stop

3. Back up and remove the existing log4j jar files for CTI Event consumer.

rm –rf /export/home/VirtualHold/CTIEventConsumer/librm –rf /export/home/VirtualHold/CTIEventConsumer/ctieventconsumer-5.0.0.jarrm –f /export/home/VirtualHold/CTIEventConsumer/log4j2.xml

4. Navigate to the location of the CTIEventConsumer_log4j2.17.1_IVG5files and copy the new artifacts to the CTIEventConsumer directory.

cp –rp lib /export/home/VirtualHold/CTIEventConsumer/cp log4j2.xml /export/home/VirtualHold/CTIEventConsumer/dos2unix /export/home/VirtualHold/CTIEventConsumer/ log4j2.xmlcp ctieventconsumer-5.0.0.jar export/home/VirtualHold/CTIEventConsumer/

5. Set appropriate permissions. The following example will grant permissions to the holly-ivg user and group, but you can substitute a different user and group if needed.

chown holly-ivg:holly-ivg –R /export/home/VirtualHold/CTIEventConsumer/chmod +x –R /export/home/VirtualHold/CTIEventConsumer/

6. Start the holly service.

su - <<holly-linux-user>>hvpctl stop

IVG 3.9 to 4.1 with OS 7

Update Tomcat

1. Stop the tomcat service.

systemctl stop tomcat

2. Copy the contents of the following directories to the IVG server:

  • OpenJDK_3.9-through-4.1_Linux79
  • Tomcat_Log4j2.17.1

3. Navigate to the OpenJDK_3.9-through-4.1_Linux79 directory and upgrade the OpenJDK version.

yum -y --nogpgcheck --disablerepo=* localinstall *
Note:

If the above command returns package conflicts and fails to install the package, try this alternative:

yum -y install avahi-libs cups-libs freetype gnutls java-1.8.0-openjdk-headless jpackage-utils libjpeg-turbo libpng libtiff lksctp-tools pcsc-lite-libs tzdata-jav

4. Update the Java path.

update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64/jre/bin/java 1 update-alternatives --set java /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64/jre/bin/java

5. Back up and remove the existing jar files and configuration script.

cd <<tomcat-install-path>>/lib rm -f log4j-api-2.9.1.jar log4j-core-2.9.1.jar log4j-jul-2.9.1.jar cd <<tomcat-install-path>>/bin rm -f setenv.sh

6. Navigate to the Tomcat_Log4j2.17.1 directory and copy the new jar files and new configuration script to the Tomcat installation path.

cp log4j-api-2.17.1.jar <<tomcat-install-path>>/libcp log4j-core-2.17.1.jar <<tomcat-install-path>>/libcp log4j-jul-2.17.1.jar <<tomcat-install-path>>/libcp setenv.sh <<tomcat-install-path>>/bindos2unix <<tomcat-install-path>>/bin/setenv.sh

7. Set the appropriate permissions. The following example will grant permissions to the tomcat-ivg user and group, but you can substitute a different user and group if needed.

chown tomcat-ivg:tomcat-ivg -R <<tomcat-install-path>> chmod u+x -R <<tomcat-install-path>>

8. Start the tomcat service.

service tomcat start

Update the CTI Event Consumer service

Note: These steps are only required for IVG 3.10 to 4.1.

1. Copy the contents of the new CTI Event Consumer artifacts directory (CTIEventConsumer_log4j2.17.1_IVG 3.10-through-4.1) from from the build server to the IVG server.

2. Stop the holly service.

service holly stop

3. Back up and remove the existing log4j jar files for CTI Event Consumer.

rm –rf /export/home/VirtualHold/CTIEventConsumer/lib rm –rf /export/home/VirtualHold/CTIEventConsumer/ctieventconsumer*.jar rm –f /export/home/VirtualHold/CTIEventConsumer/log4j2.xml

4. Navigate to the CTIEventConsumer_log4j2.17.1_IVG 3.10-through-4.1 directory and copy the new artifacts to the appropriate locations.

cp –rp lib /export/home/VirtualHold/CTIEventConsumer/ cp log4j2.xml /export/home/VirtualHold/CTIEventConsumer/ dos2unix /export/home/VirtualHold/CTIEventConsumer/ log4j2.xml cp ctieventconsumer*.jar export/home/VirtualHold/CTIEventConsumer/ctieventconsumer.jar

5. Set appropriate permissions. The following example will grant permissions to the holly-ivg user and group, but you can substitute a different user and group if needed.

chown holly-ivg:holly-ivg –R /export/home/VirtualHold/CTIEventConsumer/ chmod +x –R /export/home/VirtualHold/CTIEventConsumer/

6. Start the holly service.

systemctl start holly

IVG 3.9 to 4.1 with OS 6

Update Tomcat

1. Stop the tomcat service.

systemctl stop tomcat

2. Copy the contents of the following directories to the IVG server:

  • OpenJDK_3.9-through-4.1_Linux610
  • Tomcat_Log4j2.17.1

3. Navigate to the OpenJDK_3.9-through-4.1_Linux610 directory and upgrade the OpenJDK version.

yum -y --nogpgcheck --disablerepo=* localinstall *
Note:

If the above command returns package conflicts and fails to install the package, try this alternative:

yum -y install avahi-libs cups-libs freetype gnutls java-1.8.0-openjdk-headless jpackage-utils libjpeg-turbo libpng libtiff lksctp-tools pcsc-lite-libs tzdata-jav

4. Update the Java path

update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.275.b01-0.el6_10.x86_64/jre/bin/java 1update-alternatives --set java /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.275.b01-0.el6_10.x86_64/jre/bin/java

5. Back up and remove the existing jar files and configuration script.

cd <<tomcat-install-path>>/lib rm -f log4j-api-2.9.1.jar log4j-core-2.9.1.jar log4j-jul-2.9.1.jar cd <<tomcat-install-path>>/bin rm -f setenv.sh

6. Navigate to the Tomcat_Log4j2.17.1 directory and copy the new jar files and configuration script to the appropriate locations.

cp log4j-api-2.17.1.jar <<tomcat-install-path>>/libcp log4j-core-2.17.1.jar <<tomcat-install-path>>/libcp log4j-jul-2.17.1.jar <<tomcat-install-path>>/libcp setenv.sh <<tomcat-install-path>>/bindos2unix <<tomcat-install-path>>/bin/setenv.sh

7. Set appropriate permissions. The following example will grant permissions to the tomcat-ivg user and group, but you can substitute a different user and group if needed.

chown tomcat-ivg:tomcat-ivg -R <<tomcat-install-path>> chmod u+x -R <<tomcat-install-path>>

8. Start the tomcat service.

service tomcat start

Update the CTI Event Consumer service

Note:

These steps are only required for IVG 3.10 to 4.1.

1. Copy the contents of the new CTI Event Consumer artifacts directory (CTIEventConsumer_log4j2.17.1_IVG 3.10-through-4.1) from the build server to the IVG server.

2. Stop the holly service.

service holly stop

3. Back up and remove the existing log4j jar files for CTI Event consumer.

rm –rf /export/home/VirtualHold/CTIEventConsumer/lib rm –rf /export/home/VirtualHold/CTIEventConsumer/ctieventconsumer*.jar rm –f /export/home/VirtualHold/CTIEventConsumer/log4j2.xml

4. Navigate to the CTIEventConsumer_log4j2.17.1 directory and copy the new artifacts to the CTI Event Consumer directory.

cp –rp lib /export/home/VirtualHold/CTIEventConsumer/ cp log4j2.xml /export/home/VirtualHold/CTIEventConsumer/ dos2unix /export/home/VirtualHold/CTIEventConsumer/ log4j2.xml cp ctieventconsumer*.jar export/home/VirtualHold/CTIEventConsumer/ctieventconsumer.jar

5. Set appropriate permissions. The following example will grant permissions to the holly-ivg user and group, but you can substitute a different user and group if needed.

chown holly-ivg:holly-ivg –R /export/home/VirtualHold/CTIEventConsumer/ chmod +x –R /export/home/VirtualHold/CTIEventConsumer/

6. Start the holly service

systemctl start holly

IVG 3.5 to 3.8

You will only need to update the Apache Tomcat version when using IVG 3.5 to 3.8.

1. Stop the tomcat service.

systemctl stop tomcat

2. Copy the contents of the following directories to the IVG server:

  • JRE_3.5-through-3.8
  • Tomcat_Log4j2.17.1

3. Navigate to the JRE_3.5-through-3.8 directory and upgrade the OpenJDK version.

yum -y --nogpgcheck --disablerepo=* localinstall *

4. Update the Java path.

update-alternatives --install /usr/bin/java java /usr/java/jre1.8.0_202-amd64/bin/java 1update-alternatives --set java /usr/java/jre1.8.0_202-amd64/bin/java

5. Back up and remove the existing jar files and configuration script.

cd <<tomcat-install-path>>/librm -f log4j-api-2.9.1.jar log4j-core-2.9.1.jar log4j-jul-2.9.1.jarcd <<tomcat-install-path>>/binrm -f setenv.sh

6. Navigate to the Tomcat_Log4j2.17.1 directory and copy the new jar files and new configuration script to the Tomcat installation path.

cp log4j-api-2.17.1.jar <<tomcat-install-path>>/libcp log4j-core-2.17.1.jar <<tomcat-install-path>>/libcp log4j-jul-2.17.1.jar <<tomcat-install-path>>/libcp setenv.sh <<tomcat-install-path>>/bindos2unix <<tomcat-install-path>>/bin/setenv.sh

7. Set appropriate permissions. The following example will grant permissions to the tomcat-ivg user and group, but you can substitute a different user and group if needed.

chown tomcat-ivg:tomcat-ivg -R <<tomcat-install-path>>chmod u+x -R <<tomcat-install-path>>

8. Start the tomcat service

service tomcat start

Standalone VIS on Windows

Note: This process was validated using Tomcat 9.0.56, 8.5.73, 7.0.109 and 6.0.53 with JRE 1.8.0.112 on Windows Server.

Prerequisite

  • Log4j version 2.13.0 and higher require Java 8

Upgrade Instructions

  1. Extract the contents of the log4j2_2.17.1 archive to Tomcat\lib
  2. Configure the Context element within Tomcat\conf\context.xml to contain swallowOutput="true"
  3. Launch the Tomcat configuration utlity (Tomcat<version>w located at \\Program Files (x86)\Apache Software Foundation\Tomcat <version>\bin by default)
example location of tomcat 7w
3a. On the Java tab, confirm that each of the following are included in the Java Classpath, and add any missing paths from this list:
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\bin
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\lib
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\bin\bootstrap.jar
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\bin\tomcat-juli.jar
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\lib\tomcat-juli-adapters.jar
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\lib\log4j-core-2.17.1.jar
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\lib\log4j-api-2.17.1.jar
  • C:\Program Files\Apache Software Foundation\Tomcat {Version}\lib\log4j-jul-2.17.1.jar
example location of the java classpath

3b. Make the following updates in the Java Options section:

  • Update the Djava.util.logging.manager property to read -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
  • Update the Djava.util.logging.config.file property to read -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat {Version}\lib\log4j2.xml

4. Restart the tomcat service

Standalone VIS on Linux

For standalone VIS deployments on Linux servers, follow the instructions in the appropriate IVG tab for your CentOS/RHEL version.