LOG4J is a common JAVA logging library provided by APACHE used in many products, such as JAVA products or webservice platforms. XPLM products are using log4j libraries directly or indirectly in the code. The critical code is a security issue in the log4j libraries as explained here:
https://logging.apache.org/log4j/2.x/security.html
The remediation strategy of XPLM is as follows in categories.
Category 1: Remove the critical class file from existing log4j libraries
Disable the critical log4j functionality completely
An immediate solution to disable the critical functionality is to remove the critical class file from the log4j jar files and accumulated third party jar files. The following file has to be removed inside the jar files:
org\apache\logging\log4j\core\lookup\JndiLookup.class
Affected jar files are:
General log4j log4j-core*.jar version 2.x
General log4j log4j *.jar version 2.x
Affected Jar files in XPLM Products
ECAD Integrate ivs-*-main.jar (multiple locations)
General Removal Instructions to be executed on each jar:
1. Close XPLM Integration and connected tools, make sure connector's platform is not running (no icon in system tray)
2. Go to affected jar files, change the .jar file extension to .zip
3. Edit the zip: delete file org\apache\logging\log4j\core\lookup\JndiLookup.class
4. Rename .zip back to .jar
Removing the class has no side effects for the integrations, as the corresponding class will not be used by the integrations.
The critical lookup functionality can also be disabled in log4j by environment settings, but this workaround provided by Apache is not proven safe in all cases.
SET LOG4J_FORMAT_MSG_NO_LOOKUPS=true
This setting shall be set in startup scripts of XPLM integration products and/or a system environment variable to switch off the critical functionality. Make sure the systems are restarted after the changes.
Category 2: Replace log4j with Version 2.17 or higher
The vulnerability issue has been fixed in 2.17 or higher versions of log4j. Administrators must replace the log4j libraries and adjust all startup class paths and command scripts for JAVA.
Hotfixes for dedicated products provide the updated log4j library and related configuration settings in startup scripts for easier installation. The followings hotfixes are available:
Category 3: XPLM Product Releases or Hotfix
Going forward all future XPLM product releases contain a log4j version 2.17 or higher.
If you have questions or need support applying the actions, please reach out to support@xplm.com including information:
All product remediation actions provided by XPLM will apply to current and actively supported software versions. However, the remediation steps for these versions will be similar or identical to earlier versions that leverage Log4j v1 or v2 and are no longer actively supported by XPLM.
XPLM strongly encourages customers on older versions to take similar actions to protect their infrastructure and should not assume that previous versions of the software are not impacted by the vulnerabilities disclosed to date.