*** APPLIES TO ALL BMC PRODUCTS using Log4j except Control-M ***For Products which do not yet have Patches or procedures available, the following steps demonstrate how to identify Log4j JAR files and the commands to remove the "JndiLookup.class" from the "log4j-core-2.*.jar".
These steps are generic and can be utilized for any products; replace "$TRUESIGHTPSERVER_HOME" with the top-level directory for any other Product which may contain Log4j JAR files.*** The updated "log4j-core-2.*.jar" without the "JndiLookup.class" will not be loaded until the BMC Product is restarted. ***1. Identify Log4j JAR files by version.The following command will identify the existence of Log4j JAR files and highlight the Name and Version based on the contents of the "META-INF/MANIFEST.MF".
Linux
| for LOG4J_JAR in $(find $TRUESIGHTPSERVER_HOME | grep -i "log4j.*jar$"); do ls -al $LOG4J_JAR; unzip -p "$LOG4J_JAR" META-INF/MANIFEST.MF | grep "Bundle-Name\|Bundle-Version\|Implementation-Title\|Implementation-Version"; unzip -l "$LOG4J_JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class | grep JndiLookup; done |
NOTE: Replace "$TRUESIGHTPSERVER_HOME" with the top-level directory for any other Product which may contain Log4j JAR files.
Linux Example for TSPS (TrueSight Presentation Server)
$ for LOG4J_JAR in $(find $TRUESIGHTPSERVER_HOME | grep -i "log4j.*jar$"); do ls -al $LOG4J_JAR; unzip -p "$LOG4J_JAR" META-INF/MANIFEST.MF | grep "Bundle-Name\|Bundle-Version\|Implementation-Title\|Implementation-Version"; unzip -l "$LOG4J_JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class | grep JndiLookup; done
-rwxrwxr-x 1 truesight bmc 292244 Mar 19 2020 /opt/bmc/TrueSightPServer/truesightpserver/lib/dependencies/log4j-api-2.13.1.jar
Bundle-Name: Apache Log4j API
Implementation-Title: Apache Log4j API
Implementation-Version: 2.13.1
Bundle-Version: 2.13.1
-rwxrwxr-x 1 truesight bmc 201684 Feb 25 2020 /opt/bmc/TrueSightPServer/truesightpserver/lib/dependencies/log4j-1.2-api-2.13.1.jar
Bundle-Name: Apache Log4j 1.x Compatibility API
Implementation-Title: Apache Log4j 1.x Compatibility API
Implementation-Version: 2.13.1
Bundle-Version: 2.13.1
-rwxrwxr-x 1 truesight bmc 1702809 Mar 19 2020 /opt/bmc/TrueSightPServer/truesightpserver/lib/dependencies/log4j-core-2.13.1.jar
Bundle-Name: Apache Log4j Core
Implementation-Title: Apache Log4j Core
Implementation-Version: 2.13.1
Bundle-Version: 2.13.1
2892 02-25-2020 19:53 org/apache/logging/log4j/core/lookup/JndiLookup.class
-rwxrwxr-x 1 truesight bmc 63731 Aug 8 2018 /opt/bmc/TrueSightPServer/truesightpserver/modules/elasticsearch/lib/log4j-1.2-api-2.11.1.jar
Bundle-Name: Apache Log4j 1.x Compatibility API
Bundle-Version: 2.11.1
-rwxrwxr-x 1 truesight bmc 264060 Aug 8 2018 /opt/bmc/TrueSightPServer/truesightpserver/modules/elasticsearch/lib/log4j-api-2.11.1.jar
Implementation-Title: Apache Log4j API
Implementation-Version: 2.11.1
Bundle-Name: Apache Log4j API
Bundle-Version: 2.11.1
-rwxrwxr-x 1 truesight bmc 1607947 Aug 8 2018 /opt/bmc/TrueSightPServer/truesightpserver/modules/elasticsearch/lib/log4j-core-2.11.1.jar
Implementation-Title: Apache Log4j Core
Implementation-Version: 2.11.1
Bundle-Name: Apache Log4j Core
Bundle-Version: 2.11.1
2937 07-22-2018 20:45 org/apache/logging/log4j/core/lookup/JndiLookup.class
-rwxrwxr-x 1 truesight bmc 23241 Mar 21 2019 /opt/bmc/TrueSightPServer/truesightpserver/modules/elasticsearch/modules/x-pack-security/log4j-slf4j-impl-2.11.1.jar
Implementation-Title: Apache Log4j SLF4J Binding
Implementation-Version: 2.11.1
Bundle-Name: Apache Log4j SLF4J Binding
Bundle-Version: 2.11.1 |
Windows
| @ECHO OFF & FOR /F "usebackq delims==$" %i IN (`dir /b /s "%TRUESIGHTPSERVER_HOME%" ^| find /I "log4j" ^| find /I ".jar"`) DO @ECHO: & @ECHO "%i" & "%TRUESIGHTPSERVER_HOME%\truesightpserver\modules\jdk\bin\jar" -xvf "%i" META-INF/MANIFEST.MF & findstr "Bundle-Name Bundle-Version Implementation-Title Implementation-Version" META-INF\MANIFEST.MF & "%TRUESIGHTPSERVER_HOME%\truesightpserver\modules\jdk\bin\jar" -tvf "%i" org/apache/logging/log4j/core/lookup/JndiLookup.class & del META-INF\MANIFEST.MF & @ECHO ON |
NOTES: - Replace
"$TRUESIGHTPSERVER_HOME" with the top-level directory for any other Product which may contain Log4j JAR files.
- Replace both references to the
"%TRUESIGHTPSERVER_HOME%\truesightpserver\modules\jdk\bin\jar" with the fully-qualified path to the
%JDK_HOME%\bin\jar utility.
- There is no equivalent unzip command on Windows to view the "META-INF\MANIFEST.MF" or to verify the existence of the "JndiLookup.class" within the Log4J JAR files.
Windows Example for TSPS (TrueSight Presentation Server)
C:\>@ECHO OFF & FOR /F "usebackq delims==$" %i IN (`dir /b /s "%TRUESIGHTPSERVER_HOME%" ^| find /I "log4j" ^| find /I ".jar"`) DO @ECHO: & @ECHO "%i" & "%TRUESIGHTPSERVER_HOME%\truesightpserver\modules\jdk\bin\jar" -xvf "%i" META-INF/MANIFEST.MF & findstr "Bundle-Name Bundle-Version Implementation-Title Implementation-Version" META-INF\MANIFEST.MF & "%TRUESIGHTPSERVER_HOME%\truesightpserver\modules\jdk\bin\jar" -tvf "%i" org/apache/logging/log4j/core/lookup/JndiLookup.class & del META-INF\MANIFEST.MF & @ECHO ON
"C:\Program Files\BMC Software\TrueSightPServer\truesightpserver\lib\dependencies\log4j-1.2-api-2.13.1.jar"
inflated: META-INF/MANIFEST.MF
Bundle-Name: Apache Log4j 1.x Compatibility API
Implementation-Title: Apache Log4j 1.x Compatibility API
Implementation-Version: 2.13.1
Bundle-Version: 2.13.1
"C:\Program Files\BMC Software\TrueSightPServer\truesightpserver\lib\dependencies\log4j-api-2.13.1.jar"
inflated: META-INF/MANIFEST.MF
Bundle-Name: Apache Log4j API
Implementation-Title: Apache Log4j API
Implementation-Version: 2.13.1
Bundle-Version: 2.13.1
"C:\Program Files\BMC Software\TrueSightPServer\truesightpserver\lib\dependencies\log4j-core-2.13.1.jar"
inflated: META-INF/MANIFEST.MF
Bundle-Name: Apache Log4j Core
Implementation-Title: Apache Log4j Core
Implementation-Version: 2.13.1
Bundle-Version: 2.13.1
2892 Tue Feb 25 19:53:28 EST 2020 org/apache/logging/log4j/core/lookup/JndiLookup.class
"C:\Program Files\BMC Software\TrueSightPServer\truesightpserver\modules\elasticsearch\lib\log4j-1.2-api-2.11.1.jar"
inflated: META-INF/MANIFEST.MF
Bundle-Name: Apache Log4j 1.x Compatibility API
Bundle-Version: 2.11.1
"C:\Program Files\BMC Software\TrueSightPServer\truesightpserver\modules\elasticsearch\lib\log4j-api-2.11.1.jar"
inflated: META-INF/MANIFEST.MF
Implementation-Title: Apache Log4j API
Implementation-Version: 2.11.1
Bundle-Name: Apache Log4j API
Bundle-Version: 2.11.1
"C:\Program Files\BMC Software\TrueSightPServer\truesightpserver\modules\elasticsearch\lib\log4j-core-2.11.1.jar"
inflated: META-INF/MANIFEST.MF
Implementation-Title: Apache Log4j Core
Implementation-Version: 2.11.1
Bundle-Name: Apache Log4j Core
Bundle-Version: 2.11.1
2937 Sun Jul 22 20:45:20 EDT 2018 org/apache/logging/log4j/core/lookup/JndiLookup.class
"C:\Program Files\BMC Software\TrueSightPServer\truesightpserver\modules\elasticsearch\modules\x-pack-security\log4j-slf4j-impl-2.11.1.jar"
inflated: META-INF/MANIFEST.MF
Implementation-Title: Apache Log4j SLF4J Binding
Implementation-Version: 2.11.1
Bundle-Name: Apache Log4j SLF4J Binding
Bundle-Version: 2.11.1 |
2. Remove the "JndiLookup.class" from the "log4j-core-2.*.jar".The following command will remove the "JndiLookup.class" from the specified "log4j-core-2.*.jar".
Linux
| zip -q -d "$LOG4J_JAR" org/apache/logging/log4j/core/lookup/JndiLookup.class |
NOTE: Replace the reference to
"$LOG4J_JAR" with the fully-qualified path to the "log4j-core-2.*.jar".
Linux Example for TSPS (TrueSight Presentation Server)
zip -q -d $TRUESIGHTPSERVER_HOME/truesightpserver/lib/dependencies/log4j-core-2.13.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d $TRUESIGHTPSERVER_HOME/truesightpserver/modules/elasticsearch/lib/log4j-core-2.11.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class |
Windows
1. Rename the "log4j-core-2.*.jar" to "log4j-core-2.*.jar.zip" to enable Windows Explorer to Open the file.
2. Drill-down into the "log4j-core-2.*.jar.zip" using Windows Explorer to select the "org/apache/logging/log4j/core/lookup/JndiLookup.class".
3. Delete the "JndiLookup.class" by right-clicking to select "Delete" from the Context-menu.
4. Click "Yes" on the "Delete File" dialog and the JndiLookup.class will be deleted from the selected "log4j-core-2.*.jar.zip".
Are you sure you want to permanently delete this file?
JndiLookup.class
Type: CLASS File
Date modified: 2/25/2020 7:53 PM
Size: 2.82 KB
5. Rename the "log4j-core-2.*.jar.zip" back to "log4j-core-2.*.jar". |