LOG4J Security Vulnerability

LOG4J is a common JAVA logging library provided by APACHE used in many products, such as JAVA products or webservice platforms. XPLM products are using log4j libraries directly or indirectly in the code. The critical code is a security issue in the log4j libraries as explained here:

https://logging.apache.org/log4j/2.x/security.html

The remediation strategy of XPLM is as follows in categories.

Category 1:      Remove the critical class file from existing log4j libraries
Disable the critical log4j functionality completely

An immediate solution to disable the critical functionality is to remove the critical class file from the log4j jar files and accumulated third party jar files. The following file has to be removed inside the jar files:

org\apache\logging\log4j\core\lookup\JndiLookup.class

Affected jar files are:

              General log4j                   log4j-core*.jar  version 2.x

              General log4j                   log4j *.jar          version 2.x

Affected Jar files in XPLM Products

              ECAD Integrate ivs-*-main.jar   (multiple locations)

General Removal Instructions to be executed on each jar:

1. Close XPLM Integration and connected tools, make sure connector's platform is not running (no icon in system tray)

2. Go to affected jar files, change the .jar file extension to .zip

3. Edit the zip: delete file org\apache\logging\log4j\core\lookup\JndiLookup.class

4. Rename .zip back to .jar

Removing the class has no side effects for the integrations, as the corresponding class will not be used by the integrations.

The critical lookup functionality can also be disabled in log4j by environment settings, but this workaround provided by Apache is not proven safe in all cases.

SET LOG4J_FORMAT_MSG_NO_LOOKUPS=true

This setting shall be set in startup scripts of XPLM integration products and/or a system environment variable to switch off the critical functionality. Make sure the systems are restarted after the changes.

Category 2: Replace log4j with Version 2.17 or higher

The vulnerability issue has been fixed in 2.17 or higher versions of log4j. Administrators must replace the log4j libraries and adjust all startup class paths and command scripts for JAVA.

Hotfixes for dedicated products provide the updated log4j library and related configuration settings in startup scripts for easier installation. The followings hotfixes are available:

Category 3: XPLM Product Releases or Hotfix

Going forward all future XPLM product releases contain a log4j version 2.17 or higher.

If you have questions or need support applying the actions, please reach out to support@xplm.com including information:

  • Customer name and contact name
  • XPLM product in used including version and latest update
  • Integrated products you are using from other vendors

All product remediation actions provided by XPLM will apply to current and actively supported software versions. However, the remediation steps for these versions will be similar or identical to earlier versions that leverage Log4j v1 or v2 and are no longer actively supported by XPLM.

XPLM strongly encourages customers on older versions to take similar actions to protect their infrastructure and should not assume that previous versions of the software are not impacted by the vulnerabilities disclosed to date.