Back to QMetry All Products Help Page

Log4j security vulnerability patch (CVE-2021-44228) - Windows docker instances

Owned by Mrunalini Potnis
Mar 09, 2022
2 min read

Note: This patch is specific to the QMetry Test Management instances hosted on Windows Docker.

This page contains information for patching the recently published remote code execution 0-day vulnerability (CVE-2021-44228) affecting Log4j.

Reference: Apache Log4j Security Vulnerabilities

Steps to be followed on QMetry Application Server

  1. Download the files - log4j-core-2.15.0.jar and log4j-api-2.15.0.jar from our OneDrive secure download link.

  2. Login to the QMetry App Server and go to the above file download location using the command prompt.

    • Start > search for “Command Prompt“ > Run as administrator.

    • Use the cd command and go to the directory where the files are downloaded. Example: cd "C:\Users\your.username\Downloads"

  3. Ensure the docker containers are running using the following command

    • docker ps

    • Note: If the docker containers are not running, start them using the command: docker start qmetry_rds_1 qmetry_app_1

  4. Remove the existing old log4j jar files using the following commands:

    • docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-core-2.8.2.jar

    • docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-api-2.8.2.jar

    • docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-1.2.17.jar

  5. Ensure that the directory indicated in the command prompt contains the new log4j jars downloaded during steps 1 and 2.

    • docker cp log4j-core-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/

    • docker cp log4j-api-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/

  6. Restart QMetry App and Database Services

    • docker restart qmetry_rds_1

    • docker restart qmetry_app_1

    • Close the command prompt.

Steps to be followed on QMetry Reports Server

  1. Login to the QMetry Reports server and open the command prompt with admin privileges.

    1. Start > search for “Command Prompt“ > Run as administrator.

    2. Ensure the docker containers are running using the following command

      • docker ps

      • Note: If the docker containers are not running, start them using the command: docker start qmetry-reports-db qmetry-reports

  2. Go inside the reports docker container using the following command

    • docker exec -it qmetry-reports bash

  3. Open the file – “qtm_monitor_service.sh” in edit mode using the vi command

    • vi qtm_monitor_service.sh

  4. Update the lines containing the text indicated below with the suggested changes.

    • Press i to change the file mode to insert.

    • Add -Dlog4j2.formatMsgNoLookups=true in the following lines:

      • java -jar -Xmx2g QMetryDataSynch.jar

      • java -jar -Xmx2g QMetryCDC.jar

    • Updated lines should appear as follows:

      • java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryDataSynch.jar

      • java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryCDC.jar

  5. Save the file and restart reports docker containers.

    • Press Esc, and then type :wq to save the changes.

    • Run the below command to start the reports docker containers.

      • docker start qmetry-reports-db

      • docker start qmetry-reports

Back to QMetry All Products Help Page