There is a vulnerability for Apache Log4j 2 versions 2.0 to 2.17.0 that makes the utility more vulnerable to remote code execution attacks. While this vulnerability is not present in later version of Log4j 2, users with an affected version can patch against the vulnerability by following the below steps.
To patch the Log4j 2 vulnerability:
Stop all RiskVision services.
Back up the installation servers. By default these are located in the C:\Server, C:\ReportServer, and C:\ConnectorManager folders.
Download the latest log4j .jar files.
For each file path location in the below table, remove old log4j jars and place the new log4j jars as mentioned in the table .
AREAFILE PATH LOCATIONOLD log4j JARSNEW log4j JARSRV <RiskVision_HOME>\install\shared\lib_repo - log4j-core-2.9.1.jar
- log4j-core-2.17.1.jar
RV <RiskVision_HOME>\install\toolbox\lib - log4j-api-2.9.1.jar
- log4j-core-2.9.1.jar
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
RV <RiskVision_HOME>\tomcat\lib - log4j-api-2.9.1.jar
- log4j-core-2.9.1.jar
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
RV <RiskVision_HOME>\tomcat\shared\lib_repo - log4j-core-2.9.1.jar
- log4j-core-2.17.1.jar
RV <RiskVision_HOME>\Services\RC\temp\jetty-127.0.0.1-9080-agiliance_service-<risk vision version>.war-_service-any-<number>.dir\webapp\WEB-INF\lib (Only available in RV 9.5 & 9.6) - log4j-api-2.9.1.jar
- log4j-core-2.9.1.jar
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
RV <RiskVision_HOME>\Services\RC\lib\agiliance_service-<risk vision version>.war\WEB-INF\lib - log4j-api-2.9.1.jar
- log4j-core-2.9.1.jar
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
Connector Manager <Connector Manager_HOME>\install\shared\lib_repo - log4j-core-2.9.1.jar
- log4j-core-2.17.1.jar
Connector Manager <Connector Manager_HOME>\Tomcat\lib - log4j-api-2.9.1.jar
- log4j-core-2.9.1.jar
- log4j-api-2.17.1.jar
- log4j-core-2.17.1.jar
Connector Manager <Connector Manager_HOME>\Tomcat\shared\lib_repo - log4j-core-2.9.1.jar
- log4j-core-2.17.1.jar
Repeat step 4 for the backup folders created in step 2.
Restart Riskvision.
If the old log4j jars ( log4j-core-2.9.1.jar & log4j-api-2.9.1.jar ) still exist in locations other than those specified in the table, replace them with the new log4j jars ( log4j-core-2.17.1.jar & log4j-api-2.17.1.jar).