Back to QMetry All Products Help Page
Log4j security vulnerability patch (CVE-2021-44228) - Windows docker instances
Note: This patch is specific to the QMetry Test Management instances hosted on Windows Docker.
This page contains information for patching the recently published remote code execution 0-day vulnerability (CVE-2021-44228) affecting Log4j.
Reference: Apache Log4j Security Vulnerabilities
Steps to be followed on QMetry Application Server
Download the files - log4j-core-2.15.0.jar and log4j-api-2.15.0.jar from our OneDrive secure download link.
Login to the QMetry App Server and go to the above file download location using the command prompt.
Start > search for “Command Prompt“ > Run as administrator.
Use the cd command and go to the directory where the files are downloaded. Example: cd "C:\Users\your.username\Downloads"
Ensure the docker containers are running using the following command
docker ps
Note: If the docker containers are not running, start them using the command: docker start qmetry_rds_1 qmetry_app_1
Remove the existing old log4j jar files using the following commands:
docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-core-2.8.2.jar
docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-api-2.8.2.jar
docker exec qmetry_app_1 rm -rf /home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/log4j-1.2.17.jar
Ensure that the directory indicated in the command prompt contains the new log4j jars downloaded during steps 1 and 2.
docker cp log4j-core-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/
docker cp log4j-api-2.15.0.jar qmetry_app_1:/home/qmetry/QMetry/webapps/ROOT/WEB-INF/lib/
Restart QMetry App and Database Services
docker restart qmetry_rds_1
docker restart qmetry_app_1
Close the command prompt.
Steps to be followed on QMetry Reports Server
Login to the QMetry Reports server and open the command prompt with admin privileges.
Start > search for “Command Prompt“ > Run as administrator.
Ensure the docker containers are running using the following command
docker ps
Note: If the docker containers are not running, start them using the command: docker start qmetry-reports-db qmetry-reports
Go inside the reports docker container using the following command
docker exec -it qmetry-reports bash
Open the file – “qtm_monitor_service.sh” in edit mode using the vi command
vi qtm_monitor_service.sh
Update the lines containing the text indicated below with the suggested changes.
Press i to change the file mode to insert.
Add -Dlog4j2.formatMsgNoLookups=true in the following lines:
java -jar -Xmx2g QMetryDataSynch.jar
java -jar -Xmx2g QMetryCDC.jar
Updated lines should appear as follows:
java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryDataSynch.jar
java -Dlog4j2.formatMsgNoLookups=true -jar -Xmx2g QMetryCDC.jar
Save the file and restart reports docker containers.
Press Esc, and then type :wq to save the changes.
Run the below command to start the reports docker containers.
docker start qmetry-reports-db
docker start qmetry-reports
Back to QMetry All Products Help Page