Updates
The log4j.formatMsgNoLookups work-around is no longer recommended. We are evaluating CVE-2021-45105 and at this time do not believe our products are affected.
December 14, 2021: Horizon 26.1.2 and earlier versions.
December 16, 2021: CVE-2021-45046.
December 20, 2021: CVE-2021-45105.
Note: Major text changes appear in red
Background
Serious remote code execution (RCE) and denial of service (DOS) vulnerabilities in Apache Log4j could affect customers running some OpenNMS products. These vulnerabilities could allow an attacker to shut down or compromise your system by causing OpenNMS to log specially crafted messages into system log files for malicious purposes. Apache Log4j could interpret one of those messages to download, run, or install malicious software.
To mitigate this risk, consult the following list to install the latest OpenNMS software upgrades or work-around.
For more information about the Log4j vulnerability, see the Apache Log4j security notice for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 at https://logging.apache.org/log4j/2.x/security.html.
Meridian 2021.1.8, 2020.1.16, 2019.1.27, or earlier
Work-around:
Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line: log4j.formatMsgNoLookups=true
Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/opennms" with "/usr/share/opennms" instead):
find /opt/opennms -type f -name *log4j*.jar | while read -r JAR; do
zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
done &&
find /opt/opennms/system -type f -name *log4j*.jar.sha1 -delete &&
systemctl stop opennms.service &&
rm -rf /opt/opennms/data/* &&
systemctl start opennms.service
Permanent fix:
Upgrade to Meridian 2021.1.9, 2020.1.17, 2019.1.28, or newer
Horizon 26.1.3 through 29.0.2
Work-around:
Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:
log4j.formatMsgNoLookups=true and restart Horizon
Permanent fix:
Upgrade to Horizon 29.0.3 or newer
Horizon 29.0.3 or earlier
Work-around:
Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/opennms" with "/usr/share/opennms" instead):
find /opt/opennms -type f -name *log4j*.jar | while read -r JAR; do
zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
done &&
find /opt/opennms/system -type f -name *log4j*.jar.sha1 -delete &&
systemctl stop opennms.service &&
rm -rf /opt/opennms/data/* &&
systemctl start opennms.service
Permanent fix:
Upgrade to Horizon 29.0.4 or newer
PoweredBy OpenNMS
Work-around:
Not available
Permanent Fix:
Pull from latest GitHub source that has Log4j2 v2.17.0 or newer in pom.xml
Minions derived from Meridian 2021.1.8, 2020.1.16, 2019.1.27, Horizon 29.0.3, or earlier
Work-around:
For each Minion, edit/opt/minion/etc/config.properties config file to include the line: log4j.formatMsgNoLookups=true
Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/minion" with "/usr/share/minion" instead):
find /opt/minion -type f -name *log4j*.jar | while read -r JAR; do
zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
done &&
find /opt/minion/system -type f -name *log4j*.jar.sha1 -delete &&
systemctl stop minion.service &&
rm -rf /opt/minion/data/* &&
systemctl start minion.service
Permanent Fix:
Upgrade to Minion included with Meridian 2021.1.9, 2020.1.17, 2019.1.28, Horizon 29.0.4, or newer
Minion Appliance – all versions
Work-around:
Not applicable – Automatic Updates
Permanent fix:
Appliance service provides automatic updates to Minion appliances to match the version of Meridian or Horizon in use.
Sentinels derived from Meridian 2021.1.8, 2020.1.16, 2019.1.27, Horizon 29.0.3 or earlier
Work-around:
For each Sentinel, edit /opt/sentinel/etc/config.properties config file to include the line: log4j.formatMsgNoLookups=true
Remove the JndiLookup class from the classpath (directories that contain log4j files) with this set of commands inside your OpenNMS directory (if you are on Debian, replace "/opt/minion" with "/usr/share/minion" instead):
find /opt/minion -type f -name *log4j*.jar | while read -r JAR; do
zip -q -d "$JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class
done &&
find /opt/minion/system -type f -name *log4j*.jar.sha1 -delete &&
systemctl stop minion.service &&
rm -rf /opt/minion/data/* &&
systemctl start minion.service
Permanent fix:
Upgrade to Sentinel included with Meridian 2021.1.9, 2020.1.17, 2019.1.28, Horizon 29.0.4, or newer
Sentinels derived Horizon 26.1.2 or earlier
Work-around:
For each Sentinel, remove the JndiLookup class from the classpath (directories that contain log4j-core-*.jar files) with this command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class and restart Sentinel
Permanent fix:
Upgrade to Sentinel included with Horizon 29.0.3 or newer
Addendum
Find out how to verify that the mitigations you put in place are protecting you from CVE-2021-44228 and CVE-2021-45046 in this Discourse article.
