A serious remote code execution vulnerability (RCE) in Apache Log4j could affect customers running some OpenNMS products. This RCE could allow an attacker to compromise your system by causing OpenNMS to log specially crafted messages into system log files for malicious purposes. Apache Log4j could interpret one of those messages to download, run, or install malicious software.
To mitigate this risk, consult the following list to install the latest OpenNMS software upgrades or work-around.
For more information about the Log4j vulnerability, see the Apache Log4j security notice for CVE-2021-44228 at https://logging.apache.org/log4j/2.x/security.html.
Version: Meridian 2021.1.7, 2020.1.15, 2019.1.26, or earlier
Work-around :
Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:
log4j.formatMsgNoLookups=true and restart MeridianPermanent Fix:
Upgrade to Meridian 2021.1.8, 2020.1.15, 2019.1.27, or newer
Version: Horizon 29.0.2 or earlier
Work-around :
Edit or create $OPENNMS_HOME/etc/log4j2.component.properties file to include the line:
log4j.formatMsgNoLookups=true and restart HorizonPermanent Fix:
Upgrade to Horizon 29.0.3 or newer
Version: PoweredBy OpenNMS
Work-around :
Not availablePermanent Fix:
Pull from latest GitHub source that has Log4j2 v2.15.0 or newer in pom.xml
Version: Minions derived from Meridian 2021.1.7, 2020.1.15, 2019.1.26, Horizon 29.0.2, or earlier
Work-around :
For each Minion, edit /opt/minion/etc/config.properties config file to include the line:
log4j.formatMsgNoLookups=true and restart the MinionPermanent Fix:
Upgrade to Minion included with Meridian 2021.1.8, 2020.1.15, 2019.1.27, Horizon 29.0.3, or newer
Version: Minion Appliance – all versions
- Work-around : Not applicable – Automatic Updates
- Permanent Fix: Appliance service provides automatic updates
Version: Sentinels derived from Meridian 2021.1.7, 2020.1.15, 2019.1.26, Horizon 29.0.2, or earlier
- Work-around : For each Sentinel, edit /opt/sentinel/etc/config.properties config file to include the line: log4j.formatMsgNoLookups=true and restart Sentinel
- Permanent Fix: Upgrade to Sentinel included with Meridian 2021.1.8, 2020.1.15, 2019.1.27, Horizon 29.0.3, or newer
Top comments (0)