Back to QMetry All Products Help Page

Log4j security vulnerability patch (CVE-2021-44228) - Linux server instances

Owned by Mrunalini Potnis
Mar 09, 2022
2 min read

Note: This patch is specifically for the QMetry Test Management tool hosted over Linux Server instances.

This page contains information for patching the recently published remote code execution 0-day vulnerability (CVE-2021-44228) affecting Log4j.

Reference: Apache Log4j Security Vulnerabilities

Steps to be followed on QMetry Application Server

  1. Login to the QMetry App Server and ensure the docker services are running.

    • sudo su

    • docker ps

      • Note: If the docker containers are not running, start them using the command: docker start qmetry_rds_1 qmetry_app_1

  2. Remove the log4j jar files using the following commands:

    • docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-core-2.8.2.jar

    • docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-api-2.8.2.jar

    • docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-1.2.17.jar

  3. Run the following commands to download Log4j 2.15.0 jar files. Alternatively, you can download them from this secure OneDrive link.

  4. Copy the above jar files to the QMetry app docker container.

    • docker cp log4j-core-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/

    • docker cp log4j-api-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/

  5. Restart QMetry App and Database Services

    • docker restart qmetry_rds_1

    • docker restart qmetry_app_1

Steps to be followed on QMetry Reports Server

  1. Login to the QMetry Reports server and run the following commands to stop the reports docker container.

    • sudo su

    • docker stop qmetry-reports

    • docker stop qmetry-reports-db

  2. Open the file – qtm_monitor_service.sh in edit mode.

    • cd /var/lib/docker/volumes/qmetryreport_spark-apps/_data

      • Note: If the above path is not present, use the command: cd /var/lib/docker/volumes/spark_report_spark-apps/_data

    • vim qtm_monitor_service.sh

  3. Update the lines containing the text indicated below with the suggested changes.

    • Press i to change the file mode to insert.

    • Add -Dlog4j2.formatMsgNoLookups=true in the following lines:

      • java -jar -Xmx2g QMetryDataSynch.jar

      • java -jar -Xmx2g QMetryCDC.jar

    • Updated lines should appear as follows:

      • java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryDataSynch.jar

      • java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryCDC.jar

  4. Save the file and restart reports docker containers.

    • Press Esc, and then type :wq to save the changes.

    • Run the below command to start the reports docker containers.

      • docker start qmetry-reports-db

      • docker start qmetry-reports

         

Back to QMetry All Products Help Page