Issue CVE-2021-44228 (Log4Shell)

Updated: December 29th, 2021

Description

On 12/10/2021, a severe security issue has been detected in Apache Log4J2 (CVE-2021-44228).

FSI Server uses Apache Log4J2 to provide access to metric data of FSI Server. Due to this Log4J2 issue an attacker may execute arbitrary code by sending special strings to Log4J2 and having control over an LDAP server. This is why you should take immediate action to restore the security of your FSI Server setup.

The issue affects FSI Server Version 20.02 until 21.11 – if you are using one of the mentioned FSI Server versions, please take immediate action.
Previous versions use log4j version 1 and are not directly affected, although this version is also vulnerable if configured accordingly. Since version 1 of log4j is no longer maintained, we strongly recommend updating to the latest version of FSI Server.

NeptuneLabs hosting customers do not need to take action. These servers were updated on 10th December 2021.

Solutions

There are two ways how you can fix the vulnerability:

  1. Update to the latest version of FSI Server 21.12, which contains log4j-2.17.1
  2. Set an environment variable in your Docker setup to disable the JNDI lookup

Option 1. Updating to FSI Server 21.12 (recommended)

It’s highly recommended to update to the 21.12 version provided in our Docker repository, since it contains a fixed version of Log4J2.

Before updating, please log into your FSI Server as administrator and check under the tab Licence if your licence is valid until version 21.12.

In case your licence is not valid for receiving the latest version, please contact us via support@neptunelabs.com in order to receive an updated licence.

Option 2. Set an environment variable to disable the JNDI lookup (temporarily and not recommended)

It is possible to temporarily fix the security issue by settings an environment variable at startup the FSI Server. This prevents the problem described.

Copy to Clipboard

in docker-compose.yml:

Copy to Clipboard

Previous solutions in which the setenv.sh was replaced are no longer necessary with the setting of the environment variable.

Questions?

If you have any questions, encounter issues or need help with the installation, please feel free to contact us via support@neptunelabs.com any time.