If you have questions feel free to ask them in the forum. This will allow other users to follow the ongoing "changes". The patch instructions are quite generic. They apply in compareable manner to linux versions, too.
Besides this thread I recommend to subscribe further ressources to stay up2date:
- The official DEV BLOG feed from our product management. MOST Important!
- The specific thread where I will keep you up2date about the LOG4J issue
- Last but not least: The generic infostream where we announce new server setup versions. May it be because of log4J, other security issues or new features.
Keep in mind that the forum enables you to ask questions which is not possible in the DEV Blog. Lets rock this sh_t
--------------
Hi everyone,
here are some instructions our PM provided - feel free to use them to patch an existing xServer2 environment if you want to harden your environment against the current hot "LOG4J" issue. The proper but more complex solution is to update to v2.25.1 (released on dec. 13th, 2021). But if you want to keep the existing instance you might check this approach below:
We have three things to do to solve the problem (be aware that my path values are just examples - you need to check what your own path is first):
- Set an environment variable of the system and replace the log4j libraries in PTV xServer and PTV Content Update Service.
Please do not update Amazon Corretto in any case! (xServer2 still requires Java8)
How to set environment variable:- Press the Windows key and type Environment.
- Select "Edit the system environment variables". A "System Properties" menu appears.
- Click on "Environment Variables...".
- Click on "New..." in the "System variables" area.
- Create a new environment variable with the name "LOG4J_FORMAT_MSG_NO_LOOKUPS" and the value "true".
- Click twice on "OK" to complete the change.
Please contact the manufacturers of other software products to get an assessment of vulnerability and possible updates. - Update libraries of the PTV xServer
- Please stop the PTV xServer.
- Please change to the xServer2 installation directory (into the given subfolder), e.g. C:\ptv-xserver\server\2.x.y\webapps\services\WEB-INF\lib
- Now delete all files beginning with "log4j":
log4j-api-2.x.jar
log4j-core-2.x.jar
log4j-slf4j-impl-2.x.jar
log4j-web-2.x.jar - The file log4j-api-2.x.jar can be named e.g.: log4j-api-2.13.1.jar
- Now unzip the file log4j-2.16.0-libraries.zip into a temporary directory and copy the files
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar
log4j-web-2.16.0.jar
into the directory C:\ptv-xserver\server\2.x.y\webapps\services\WEB-INF\lib - Now the PTV xServer can be restarted. (The computer does not have to be restarted)
- Update libraries of the PTV Content Update Service
Nearly the same as for PTV xServer must be done for the PTV Content Update Service.- Please stop the PTV Content Update Service.
- Please change to the directory C:\ptv-xserver\server\CUS\2.x\webapps\contentupdateservice\WEB-INF\lib
- Now delete all files beginning with "log4j":
log4j-api-2.x.jar
log4j-core-2.x.jar
log4j-slf4j-impl-2.x.jar - Unzip the file log4j-2.16.0-libraries-contentupdateservice.zip into a temporary directory and copy the files
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar
into the directory C:\ptv-xserver\server\CUS\2.x\webapps\contentupdateservice\WEB-INF\lib - Now the PTV Content Update Service can be restarted. (The computer does not have to be restarted).
Please keep in mind to update your server once you are aware that we have security related patches. We recommend to subscribe to the famous product management DEV BLOG or the PTV xServer Forum INFOSTREAM,
Bernd