How to Manually Patch log4j CVE (CVE-2021-44228),(CVE-2021-45046 )

Log4j is the open source library we use for logging in the Java and JAVA RESTful engines.

This vulnerability only affects the JAVA and JAVA RESTful engines. 

The .NET, .NET RESTful engines and the Windward Designer (f.k.a. Autotag) are NOT affected by this vulnerability since this is a JAVA specific dependency.

Windward Studios is actively responding to the reported remote code execution vulnerabilities in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam) "CVE-2021-44228" and "CVE-2021-45046", affecting Apache Log4j software library versions 2.0-beta9 to 2.15.0. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

We have determined that Version 20.2.0 of the JAVA and JAVA RESTful engines and subsequent versions include a vulnerable log4j library version (2.8.0). Windward JAVA Engines previous to version 20.2.0 are NOT affected by this log4j vulnerability.  

We will be providing a patch for version 21.5.0 later this week to address this issue by including the fixed version of log4j from the Apache foundation. The latest release from the Apache foundation was yesterday (12/13/2021).

If you are unable to implement the patch or want to mitigate the issue prior the release of the patch, please follow the instructions below.

There are two ways you can mitigate this issue

1. Setting system property formatMsgNoLookups=true

2. Replace the log4j jar file on your system(s) (https://logging.apache.org/log4j/2.x/download.html)


Java Engine

  1. You may mitigate this vulnerability by setting log4j2.formatMsgNoLookups equal to true in your java environment. This can be done by adding the argument "-Dlog4j2.formatMsgNoLookups=true" when launching your java application.

    Here's an updated command for the RunReport example that ships with our Windows installer:

    "java -Dlog4j2.formatMsgNoLookups=true -cp "%__CP%" -Djava.library.path="%__JARS%" net.windward.xmlreport.RunReport InternetMarketingReport.docx "%TEMP%\testreport.pdf" -xml:INTMARKETING InternetMarketingData.xml -launch".

  2. You can also substitute in newer versions of log4j without encountering errors on your own if you want to. You must substitute these jars to upgrade to a newer version: log4j-api.jar, log4j-core.jar, and log4j-slf4j-impl.jar.

    These are located in your Jars folder

Java RESTFul Engine

For Java RESTful Engine you can add the same option,
 " -Dlog4j2.formatMsgNoLookups=true", to your CATALINA_OPTS.

This variable should be set up in either catalina.bat for Windows installations or catalina.sh for Unix or Linux installations.


In catalina.bat, you would need to include:

set CATALINA_OPTS=-Dlog4j2.formatMsgNoLookups=true


In catalina.sh, you would need to include:

export CATALINA_OPTS=" -Dlog4j2.formatMsgNoLookups=true"



0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.