Updates

The log4j.formatMsgNoLookups work-around is no longer recommended. We are evaluating CVE-2021-45105 and at this time do not believe our products are affected.

December 14, 2021: Horizon 26.1.2 and earlier versions.

December 16, 2021: CVE-2021-45046.

December 20, 2021: CVE-2021-45105.

Note: Major text changes appear in red

Background

Serious remote code execution (RCE) and denial of service (DOS) vulnerabilities in Apache Log4j could affect customers running some OpenNMS products. These vulnerabilities could allow an attacker to shut down or compromise your system by causing OpenNMS to log specially crafted messages into system log files for malicious purposes. Apache Log4j could interpret one of those messages to download, run, or install malicious software.

To mitigate this risk, consult the following list to install the latest OpenNMS software upgrades or work-around.

For more information about the Log4j vulnerability, see the Apache Log4j security notice for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 at https://logging.apache.org/log4j/2.x/security.html.

Meridian 2021.1.8, 2020.1.16, 2019.1.27, or earlier

Work-around:

Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line: log4j.formatMsgNoLookups=true

Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/opennms" with "/usr/share/opennms" instead):

find /opt/opennms -type f -name *log4j*.jar | while read -r JAR; do

zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class

done &&

find /opt/opennms/system -type f -name *log4j*.jar.sha1 -delete &&

systemctl stop opennms.service &&

rm -rf /opt/opennms/data/* &&

systemctl start opennms.service

Permanent fix:

Upgrade to Meridian 2021.1.9, 2020.1.17, 2019.1.28, or newer

Horizon 26.1.3 through 29.0.2

Work-around:

Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:

log4j.formatMsgNoLookups=true and restart Horizon

Permanent fix:

Upgrade to Horizon 29.0.3 or newer

Horizon 29.0.3 or earlier

Work-around:

Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/opennms" with "/usr/share/opennms" instead):

find /opt/opennms -type f -name *log4j*.jar | while read -r JAR; do

zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class

done &&

find /opt/opennms/system -type f -name *log4j*.jar.sha1 -delete &&

systemctl stop opennms.service &&

rm -rf /opt/opennms/data/* &&

systemctl start opennms.service

Permanent fix:

Upgrade to Horizon 29.0.4 or newer

PoweredBy OpenNMS

Work-around:

Not available

Permanent Fix:

Pull from latest GitHub source that has Log4j2 v2.17.0 or newer in pom.xml

Minions derived from Meridian 2021.1.8, 2020.1.16, 2019.1.27, Horizon 29.0.3, or earlier

Work-around:

For each Minion, edit/opt/minion/etc/config.properties config file to include the line: log4j.formatMsgNoLookups=true

Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/minion" with "/usr/share/minion" instead):

find /opt/minion -type f -name *log4j*.jar | while read -r JAR; do

zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class

done &&

find /opt/minion/system -type f -name *log4j*.jar.sha1 -delete &&

systemctl stop minion.service &&

rm -rf /opt/minion/data/* &&

systemctl start minion.service

Permanent Fix:

Upgrade to Minion included with Meridian 2021.1.9, 2020.1.17, 2019.1.28, Horizon 29.0.4, or newer

Minion Appliance – all versions

Work-around:

Not applicable – Automatic Updates

Permanent fix:

Appliance service provides automatic updates to Minion appliances to match the version of Meridian or Horizon in use.

Sentinels derived from Meridian 2021.1.8, 2020.1.16, 2019.1.27, Horizon 29.0.3 or earlier

Work-around:

For each Sentinel, edit /opt/sentinel/etc/config.properties config file to include the line: log4j.formatMsgNoLookups=true

Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/minion" with "/usr/share/minion" instead):

find /opt/minion -type f -name *log4j*.jar | while read -r JAR; do

zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class

done &&

find /opt/minion/system -type f -name *log4j*.jar.sha1 -delete &&

systemctl stop minion.service &&

rm -rf /opt/minion/data/* &&

systemctl start minion.service

Permanent fix:

Upgrade to Sentinel included with Meridian 2021.1.9, 2020.1.17, 2019.1.28, Horizon 29.0.4, or newer

Sentinels derived Horizon 26.1.2 or earlier

Work-around:

For each Sentinel, remove the JndiLookup class from the classpath (directories that contain log4j-core-*.jar files) with this command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class and restart Sentinel

Permanent fix:

Upgrade to Sentinel included with Horizon 29.0.3 or newer

Addendum

Find out how to verify that the mitigations you put in place are protecting you from CVE-2021-44228 and CVE-2021-45046 in this Discourse article.

Jump to section

About the Author: Jeff Jancula

Published On: December 10th, 2021Last Updated: April 20th, 20234 min read