| Table of Contents |
|---|
...
- https://github.com/folio-org/platform-complete/blob/R1-2021/install.json for Iris (R1-2021)
- https://github.com/folio-org/platform-complete/blob/R2-2021/install.json for Juniper (R2-2021)
- https://github.com/folio-org/platform-complete/blob/R3-2021/install.json for Kiwi (R3-2021)
https://github.com/julianladisch/platform-complete/actions/workflows/log4shell-scan.yml scans these branches for vulnerable log4j versions. Click on the release and on "Run cat result.txt" to see the results. The scan runs every two hours.
Configuration variables for back-end modules
Many back-end modules are affected by the Log4Shell issue, until new jar files and new docker containers with a fixed version are ready the existing back-end modules should be reconfigured with an environment variable that disables the flaw for most cases in log4j:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true- Append
-Dlog4j2.formatMsgNoLookups=trueto theJAVA_OPTIONSvariable
Pick one of the two options.
Example for the second option: If the existing configuration has JAVA_OPTIONS="-XX:MaxRAMPercentage=66.0" then the new configuration should beJAVA_OPTIONS="-XX:MaxRAMPercentage=66.0 -Dlog4j2.formatMsgNoLookups=true"
SQL query to do this, posted by Lucy Menon on #sys-ops Slack channel, assuming that all modules in use already have a JAVA_OPTIONS env entry:
...
Not completely. It only limits exposure while leaving some attack vectors open. Using the configuration variables is a temporary measure for the time until patched FOLIO modules are available. Please upgrade to patched modules as soon as possible.
From: https://logging.apache.org/log4j/2.x/security.html
History
Older (discredited) mitigation measures
...
After all mod-* and edge-* modules have been upgraded to log4j >= 2.16.0 upgrade edge-* modules with log4j 2.16.0 to log4j 2.17.0 unless they don't use MDC lookups.
https://github.com/julianladisch/platform-complete/actions/workflows/log4shell-scan.yml scans the platfrom-complete branches R1-2021, R2-2021 and R3-2021 for vulnerable log4j versions. Click on the release and on "Run cat result.txt" to see the results. The scan runs every two hours.
RMB based modules
Modules based on Raml Module Builder (RMB) should upgrade to a fixed version:
...
No, updating to log4j >= 2.16.0 is sufficient. LOG4J_FORMAT_MSG_NO_LOOKUPS=true or -Dlog4j2.formatMsgNoLookups=true should only be used by sysops for unpatched modules as a temporary fix. Don't add them to the ModuleDescriptors or LaunchDescriptors a module ships with. For details see section "Is using configuration variables secure?" above.
...