|High priority- Log4J security announcement||hannahb||2021-12-10 13:55|
Yesterday, researchers announced a critical vulnerability (CVE-2021-44228) in Log4J, a popular Java logging library that LabKey Server versions 20.11 and later use.
All LabKey Server administrators must take action to protect their installations immediately, especially installations that are open on the public Internet. We are making these changes for all hosted customers today which will involve a short server downtime. You will receive notice of this downtime shortly.
Right now, administrators must add a system property (-Dlog4j2.formatMsgNoLookups=true) so that Java will disable the part of Log4J with the vulnerability. The exact mechanism for setting this property depends on how Tomcat is installed and launched.
For Linux installations, locate the JAVA_OPTS or CATALINA_OPTS environment variables for your Tomcat installation. These settings are typically located under the /etc/init.d/tomcat startup file, the /etc/systemd/system/tomcat.service startup file, the /etc/default/tomcat file, or the CATALINA_HOME/bin/setenv.sh script. Once the JAVA_OPTS or CATALINA_OPTS line is located, add -Dlog4j2.formatMsgNoLookups=true to the end of the line and restart Tomcat.
For Windows installations running Tomcat as a service, typically admins should use the “tomcat9w.exe” utility to adjust the settings. The following doc page shows how to adjust these kinds of settings in a variety of environments.
If you are setting the system property, you can confirm that it was picked up after restarting Tomcat. Go to the Admin Console->System Properties and confirm that the “log4j2.formatMsgNoLookups” property is shown with the value “true”.
Early next week we will release a patched version of LabKey Server that incorporates Log4J 2.15.0 that eliminates the need for the system property going forward. We will post this version to support portals as soon as it is available.
Please reach out via your support portal with questions and requests for help in making these changes.
For more details on the Log4J vulnerability itself, see https://github.com/advisories/GHSA-jfh8-c2jp-5v3q