Back to QMetry All Products Help Page
Log4j security vulnerability patch (CVE-2021-44228) - Linux server instances
Note: This patch is specifically for the QMetry Test Management tool hosted over Linux Server instances.
This page contains information for patching the recently published remote code execution 0-day vulnerability (CVE-2021-44228) affecting Log4j.
Reference: Apache Log4j Security Vulnerabilities
Steps to be followed on QMetry Application Server
Login to the QMetry App Server and ensure the docker services are running.
sudo su
docker ps
Note: If the docker containers are not running, start them using the command: docker start qmetry_rds_1 qmetry_app_1
Remove the log4j jar files using the following commands:
docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-core-2.8.2.jar
docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-api-2.8.2.jar
docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-1.2.17.jar
Run the following commands to download Log4j 2.15.0 jar files. Alternatively, you can download them from this secure OneDrive link.
Copy the above jar files to the QMetry app docker container.
docker cp log4j-core-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/
docker cp log4j-api-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/
Restart QMetry App and Database Services
docker restart qmetry_rds_1
docker restart qmetry_app_1
Steps to be followed on QMetry Reports Server
Login to the QMetry Reports server and run the following commands to stop the reports docker container.
sudo su
docker stop qmetry-reports
docker stop qmetry-reports-db
Open the file – qtm_monitor_service.sh in edit mode.
cd /var/lib/docker/volumes/qmetryreport_spark-apps/_data
Note: If the above path is not present, use the command: cd /var/lib/docker/volumes/spark_report_spark-apps/_data
vim qtm_monitor_service.sh
Update the lines containing the text indicated below with the suggested changes.
Press i to change the file mode to insert.
Add -Dlog4j2.formatMsgNoLookups=true in the following lines:
java -jar -Xmx2g QMetryDataSynch.jar
java -jar -Xmx2g QMetryCDC.jar
Updated lines should appear as follows:
java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryDataSynch.jar
java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryCDC.jar
Save the file and restart reports docker containers.
Press Esc, and then type :wq to save the changes.
Run the below command to start the reports docker containers.
docker start qmetry-reports-db
docker start qmetry-reports
Back to QMetry All Products Help Page