Log4j Security Vulnerability

Apache Log4j

In December 2021, vulnerabilities in the Apache Log4j were identified that affected a massive number of Java server applications. 

Tom Sawyer Software has been diligently examining our own dependencies. Read on to see how this may affect you—and check back frequently for updates as this issue evolves.

Not affected by Log4j vulnerability:

  • Tom Sawyer Perspectives 
    • Graph and Data Visualization SDK Designer and Web Previewer
    • Graph Database Browser
    • Model-Based Engineering (default configuration)
  • Tom Sawyer Analysis
  • Tom Sawyer Layout
  • Tom Sawyer Visualization
  • Tom Sawyer Licensing

Affected by Log4j vulnerability:

  • Business Process
  • Model-Based Engineering (custom configuration)
  • Any custom Perspectives app which contains Log4j-core library, Log4j2.xml and/or enables it through code.  Ways this might have been introduced by a developer:
    • Followed our instructions in our documentation to enable Log4j
    • Followed our documented Ant instructions
    • Used our example root pom as their application's root pom, and enabled Log4j
    • Added Log4j or configured to use it.  (Here are some ways Log4j may have been set up in a custom app:  https://logging.apache.org/log4j/2.x/manual/configuration.html)

How do I know if my application is vulnerable?

Step One

Go to your custom application's installation directory and run the following commands.  If you get any results, it may be vulnerable.  

 Linux and Mac OS:

    find ./ -name log4j-core*.jar
    grep -r --include "*.war" -ie log4j-core
    grep -r --include "*.jar" -ie log4j-core

    find ./ -name log4j2.xml
    grep -r --include "*.war" -ie log4j2.xml
    grep -r --include "*.jar" -ie log4j2.xml
 

Windows PowerShell:

    Get-ChildItem -Path ./ -Include log4j-core*.jar -Recurse -ErrorAction SilentlyContinue | Select-Object FullName
    Get-ChildItem -Path ./ -Include *.jar -Recurse | Select-String -Pattern 'log4j-core' | Select-Object -Unique Path
    Get-ChildItem -Path ./ -Include *.war -Recurse | Select-String -Pattern 'log4j-core' | Select-Object -Unique Path
 
    Get-ChildItem -Path ./ -Include log4j2.xml -Recurse -ErrorAction SilentlyContinue | Select-Object FullName
    Get-ChildItem -Path ./ -Include *.jar -Recurse | Select-String -Pattern 'log4j2.xml' | Select-Object -Unique Path
    Get-ChildItem -Path ./ -Include *.war -Recurse | Select-String -Pattern 'log4j2.xml' | Select-Object -Unique Path
 

Step Two

Search your codebase for the following line.  If it is found, your application uses Log4j and may be vulnerable.  
    TSLogger.getLogProviders().registerLogProvider(TSLog4JProvider.class);

Options for Remediation

1. Upgrade Log4j
  • Replace the vulnerable log4j-core library with the latest patched version from Apache
  • Redeploy the application
2. Remove Log4j from your application
  • Remove or rename the log4j-core jar file or log4j2.xml file
  • Remove the line of code enabling it (see above)
  • Rebuild and redeploy the application
3. Workaround: disable lookups 
 These parameters can be passed and/or included in the application's environment in order to avoid this vulnerability:
  • JVM runtime flag:  -Dlog4j2.formatMsgNoLookups=true (Note:  this is the best remediation for Business Process)
    Environment variables:
  • _JAVA_OPTIONS = -Dlog4j2.formatMsgNoLookups=true
  • JAVA_TOOL_OPTIONS = -Dlog4j2.formatMsgNoLookups=true
  • LOG4J_FORMAT_MSG_NO_LOOKUPS = true

  • Restart the application
 
4.  Remove the vulnerable class from the library, if your application doesn't depend on it 
  • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Restart the application

Contact Us

Have questions about these vulnerabilities and your system? We are here for you. Log in to support.tomsawyer.com and submit a case with any questions, issues, or concerns. We'll get right back to you.