Patch Apache Log4j 2 Vulnerability

There is a vulnerability for Apache Log4j 2 versions 2.0 to 2.17.0 that makes the utility more vulnerable to remote code execution attacks. While this vulnerability is not present in later version of Log4j 2, users with an affected version can patch against the vulnerability by following the below steps.

To patch the Log4j 2 vulnerability:

  1. Stop all RiskVision services.

  2. Back up the installation servers. By default these are located in the C:\Server, C:\ReportServer, and C:\ConnectorManager folders.

  3. Download the latest log4j .jar files. 

  4. For each file path location in the below table, remove old log4j jars and place the new log4j jars as mentioned in the table .

    AREA
    FILE PATH LOCATION
    OLD log4j JARS
    NEW log4j JARS
    RV<RiskVision_HOME>\install\shared\lib_repo
    • log4j-core-2.9.1.jar
    • log4j-core-2.17.1.jar
    RV<RiskVision_HOME>\install\toolbox\lib    
    • log4j-api-2.9.1.jar
    • log4j-core-2.9.1.jar
    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar
    RV<RiskVision_HOME>\tomcat\lib
    • log4j-api-2.9.1.jar
    • log4j-core-2.9.1.jar
    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar
    RV<RiskVision_HOME>\tomcat\shared\lib_repo
    • log4j-core-2.9.1.jar
    • log4j-core-2.17.1.jar
    RV<RiskVision_HOME>\Services\RC\temp\jetty-127.0.0.1-9080-agiliance_service-<risk vision version>.war-_service-any-<number>.dir\webapp\WEB-INF\lib (Only available in RV 9.5 & 9.6)
    • log4j-api-2.9.1.jar
    • log4j-core-2.9.1.jar
    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar
    RV<RiskVision_HOME>\Services\RC\lib\agiliance_service-<risk vision version>.war\WEB-INF\lib
    • log4j-api-2.9.1.jar
    • log4j-core-2.9.1.jar
    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar
    Connector Manager<Connector Manager_HOME>\install\shared\lib_repo
    • log4j-core-2.9.1.jar
    • log4j-core-2.17.1.jar
    Connector Manager<Connector Manager_HOME>\Tomcat\lib
    • log4j-api-2.9.1.jar
    • log4j-core-2.9.1.jar
    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1.jar
    Connector Manager<Connector Manager_HOME>\Tomcat\shared\lib_repo
    • log4j-core-2.9.1.jar
    • log4j-core-2.17.1.jar
  5. Repeat step 4 for the backup folders created in step 2.

  6. Restart Riskvision.

    If the old log4j jars ( log4j-core-2.9.1.jar & log4j-api-2.9.1.jar ) still exist in locations other than those specified in the table, replace them with the new log4j jars ( log4j-core-2.17.1.jar & log4j-api-2.17.1.jar).