Vulnerability in Apache Log4J 2 which is used in InCenter

Last modified on 12 Jan, 2022. Revision 10
Log4J 2 is a component in the log database which is included in InCenter. Whether there are any external systems that send log data to InCenter or not we strongly recommend to reconfigure InCenter to not be susceptible to this vulnerability, as it is used internally.
Up to date for
InCenter 2.1.0
Status OK

Affected versions

Remote code execution with this vulnerability is not possible, however the system is susceptible to an information leak via DNS, particular regarding CVE-2021-44228 and CVE-2021-45046.

InCenter is not exploitable by CVE-2021-45105 and CVE-2021-44832.

Fix Information

The vulnerability is fixable by adding the following JVM property to the startup of the log database: -Dlog4j2.formatMsgNoLookups=true 

This fix mitigates both CVE-2021-44228 and CVE-2021-45046.

See the applicable section below. For more detail, please don’t hesitate to contact Clavister Support!

Incenter 2.0 or older

Log in to the underlying operating system (via console or ssh if that is enabled) with administrator credentials. Add the property by executing the following command once:

echo -Dlog4j2.formatMsgNoLookups=true | sudo -u elasticsearch tee -a /etc/elasticsearch/jvm.options 

Then reboot the whole system, or restart the log database by executing the following command:

sudo systemctl restart elasticsearch.service 

The restart could potentially take some time depending on the size of the log database. Receiving logs may not be possible during that time.

Incenter 2.1 or newer

Log in to the underlying operating system (via console or ssh if that is enabled) with administrator credentials. Add the property by executing the following command once:

echo -Dlog4j2.formatMsgNoLookups=true | sudo -u opensearch tee -a /usr/share/opensearch/config/jvm.options 

Then reboot the whole system, or restart the log database by executing the following command:

sudo systemctl restart opensearch.service 

The restart could potentially take some time depending on the size of the log database. Receiving logs may not be possible during that time.

Security Patches

The issue will be fixed in all future versions of InCenter.

References

Related articles

Sending EasyAccess logs to InCenter or a Syslog server
4 May, 2021 easyaccess incenter syslog
Protecting against the Apache Log4j exploit
15 Dec, 2021 core idp ipreputation log4j