LOG4J : patch instructions for an existing xServer2

Deals with generic topics such as logging, framework and so on. If you are not sure where to place your topic just put it here.
Post Reply
User avatar
Bernd Welter
Site Admin
Posts: 2564
Joined: Mon Apr 14, 2014 10:28 am
Contact:

LOG4J : patch instructions for an existing xServer2

Post by Bernd Welter »

HI there, please be aware that this ongoing thread deal with the LOG4J issues which have been identified in late december 2021. I will "respond" to the thread whenever I get new installation instructions from DEV or Product Management.
If you have questions feel free to ask them in the forum. This will allow other users to follow the ongoing "changes". The patch instructions are quite generic. They apply in compareable manner to linux versions, too.
Besides this thread I recommend to subscribe further ressources to stay up2date:

Keep in mind that the forum enables you to ask questions which is not possible in the DEV Blog. Lets rock this sh_t :evil:


--------------

Hi everyone,

here are some instructions our PM provided - feel free to use them to patch an existing xServer2 environment if you want to harden your environment against the current hot "LOG4J" issue. The proper but more complex solution is to update to v2.25.1 (released on dec. 13th, 2021). But if you want to keep the existing instance you might check this approach below:

We have three things to do to solve the problem (be aware that my path values are just examples - you need to check what your own path is first):
  1. Set an environment variable of the system and replace the log4j libraries in PTV xServer and PTV Content Update Service.
    Please do not update Amazon Corretto in any case! (xServer2 still requires Java8)
    How to set environment variable:
    • Press the Windows key and type Environment.
    • Select "Edit the system environment variables". A "System Properties" menu appears.
    • Click on "Environment Variables...".
    • Click on "New..." in the "System variables" area.
    • Create a new environment variable with the name "LOG4J_FORMAT_MSG_NO_LOOKUPS" and the value "true".
    • Click twice on "OK" to complete the change.
    01.png
    This is an action to secure your system in the short term.

    Please contact the manufacturers of other software products to get an assessment of vulnerability and possible updates.
  2. Update libraries of the PTV xServer
    • Please stop the PTV xServer.
    • Please change to the xServer2 installation directory (into the given subfolder), e.g. C:\ptv-xserver\server\2.x.y\webapps\services\WEB-INF\lib
    • Now delete all files beginning with "log4j":
      log4j-api-2.x.jar
      log4j-core-2.x.jar
      log4j-slf4j-impl-2.x.jar
      log4j-web-2.x.jar
    • The file log4j-api-2.x.jar can be named e.g.: log4j-api-2.13.1.jar
    • Now unzip the file log4j-2.16.0-libraries.zip into a temporary directory and copy the files
      log4j-api-2.16.0.jar
      log4j-core-2.16.0.jar
      log4j-slf4j-impl-2.16.0.jar
      log4j-web-2.16.0.jar
      into the directory C:\ptv-xserver\server\2.x.y\webapps\services\WEB-INF\lib
    • Now the PTV xServer can be restarted. (The computer does not have to be restarted)
  3. Update libraries of the PTV Content Update Service
    Nearly the same as for PTV xServer must be done for the PTV Content Update Service.
    • Please stop the PTV Content Update Service.
    • Please change to the directory C:\ptv-xserver\server\CUS\2.x\webapps\contentupdateservice\WEB-INF\lib
    • Now delete all files beginning with "log4j":
      log4j-api-2.x.jar
      log4j-core-2.x.jar
      log4j-slf4j-impl-2.x.jar
    • Unzip the file log4j-2.16.0-libraries-contentupdateservice.zip into a temporary directory and copy the files
      log4j-api-2.16.0.jar
      log4j-core-2.16.0.jar
      log4j-slf4j-impl-2.16.0.jar
      into the directory C:\ptv-xserver\server\CUS\2.x\webapps\contentupdateservice\WEB-INF\lib
    • Now the PTV Content Update Service can be restarted. (The computer does not have to be restarted).
Thanks to DEV for the quick quidelines!

Please keep in mind to update your server once you are aware that we have security related patches. We recommend to subscribe to the famous product management DEV BLOG or the PTV xServer Forum INFOSTREAM,

Bernd
Attachments
log4j-2.16.0-libraries.zip
for xserver
(1.84 MiB) Downloaded 227 times
log4j-2.16.0-libraries-contentupdateservice.zip
for content update service
(1.81 MiB) Downloaded 226 times
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany

Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning... :twisted:
User avatar
Bernd Welter
Site Admin
Posts: 2564
Joined: Mon Apr 14, 2014 10:28 am
Contact:

Re: LOG4J : patch instructions for an existing xServer2

Post by Bernd Welter »

UPDATE:
The zip files have been replaced: instead of Log4J 2.15.0 we now use the latest 2.16.0.
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany

Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning... :twisted:
User avatar
Bernd Welter
Site Admin
Posts: 2564
Joined: Mon Apr 14, 2014 10:28 am
Contact:

Re: LOG4J : patch instructions for an existing xServer2

Post by Bernd Welter »

Quick update:

Meanwhile our DEV team provided full update versions for xServer 1.34 and xServer 2.25 including LOG4J 2.16.0.

It is up to you whether you apply this manual patch described above or install the full update.

WE DELIVERED!

Bernd
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany

Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning... :twisted:
User avatar
Bernd Welter
Site Admin
Posts: 2564
Joined: Mon Apr 14, 2014 10:28 am
Contact:

Re: LOG4J : patch instructions for an existing xServer2

Post by Bernd Welter »

Update 21.12.2021 - find a new patch description below. Please be aware that we always recommend to install a complete version of a server with the proper built in patch instead of a manual patch of an existing server installation!
---------------------------
Dear all,
there is again a new version for log4j to fix the issue concerning Log4J. The security level is now 7.5 from 10. The former issue was level 10. Please see: https://logging.apache.org/log4j/2.x/se ... 2021-45105
I updated the version and added new zip files with the new libraries.

Should you have questions, please let us know.
Thanks and best regards, Ellen and Ernst

_____________________________________________________________________________________________________
Action to fix PTV xServer 2 environment:
We have two things to do to solve the problem:
Replace the log4j libraries in PTV xServer and PTV Content Update Service.

1. Update libraries of the PTV xServer
Please stop the PTV xServer.
Please change to the directory [xserver installation folder]\webapps\services\WEB-INF\lib e.g. C:\PTV-AG\xServer\2.20.0\webapps\services\WEB-INF\lib
The abbreviation 2.x stands for the PTV xServer version.
In general, this would be: C:\PTV-AG\xServer\2.x\webapps\services\WEB-INF\lib
For version 2.20.0 the file path would be C:\PTV-AG\xServer\2.20.0\webapps\services\WEB-INF\lib
Now delete all files beginning with "log4j":
log4j-api-2.x.jar
log4j-core-2.x.jar
log4j-slf4j-impl-2.x.jar
log4j-web-2.x.jar
The file log4j-api-2.x.jar can be named e.g.: log4j-api-2.13.1.jar
Now unzip the file log4j-2.17.0-libraries.zip into a temporary directory and copy the files
log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-slf4j-impl-2.17.0.jar
log4j-web-2.17.0.jar
into the directory C:\PTV-AG\xServer\2.x\webapps\services\WEB-INF\lib
Now the PTV xServer can be restarted. (The computer does not have to be restarted)
2. Update libraries of the PTV Content Update Service
Nearly the same as for PTV xServer must be done for the PTV Content Update Service.
Please stop the PTV Content Update Service.
Please change to the directory C:\PTV-AG\xServer\CUS\2.x\webapps\contentupdateservice\WEB-INF\lib
Now delete all files beginning with "log4j":
log4j-api-2.x.jar
log4j-core-2.x.jar
log4j-slf4j-impl-2.x.jar
Unzip the file log4j-2.17.0-libraries-contentupdateservice.zip into a temporary directory and copy the files
log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-slf4j-impl-2.17.0.jar
into the directory C:\PTV-AG\xServer\CUS\2.x\webapps\contentupdateservice\WEB-INF\lib
Now the PTV Content Update Service can be restarted. (The computer does not have to be restarted)
Attachments
log4j-2.17.0-libraries-contentupdateservice.zip
log4j 2.17.0 for the content update service
(1.81 MiB) Downloaded 216 times
log4j-2.17.0-libraries.zip
log4j 2.17.0 for the server
(1.84 MiB) Downloaded 214 times
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany

Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning... :twisted:
Post Reply